The China-linked superior persistent menace (APT) group often called Mustang Panda has been noticed weaponizing Visible Studio Code software program as a part of espionage operations focusing on authorities entities in Southeast Asia.
“This menace actor used Visible Studio Code’s embedded reverse shell characteristic to realize a foothold in goal networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman mentioned in a report, describing it as a “comparatively new approach” that was first demonstrated in September 2023 by Truvis Thornton.
The marketing campaign is assessed to be a continuation of a beforehand documented assault exercise aimed toward an unnamed Southeast Asian authorities entity in late September 2023.
Mustang Panda, additionally identified by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Pink Lich, has been operational since 2012, routinely conducting cyber espionage campaigns focusing on authorities and non secular entities throughout Europe and Asia, notably these positioned in South China Sea nations.
The most recent noticed assault sequence is notable for its abuse of Visible Studio Code’s reverse shell to execute arbitrary code and ship extra payloads.
“To abuse Visible Studio Code for malicious functions, an attacker can use the transportable model of code.exe (the executable file for Visible Studio Code), or an already put in model of the software program,” Fakterman famous. “By working the command code.exe tunnel, an attacker receives a hyperlink that requires them to log into GitHub with their very own account.”
As soon as this step is full, the attacker is redirected to a Visible Studio Code net surroundings that is linked to the contaminated machine, permitting them to run instructions or create new information.
It is value mentioning that the malicious use of this method was beforehand highlighted by a Dutch cybersecurity agency mnemonic in reference to zero-day exploitation of a vulnerability in Examine Level’s Community Safety gateway merchandise (CVE-2024-24919, CVSS rating: 8.6) earlier this yr.
Unit 42 mentioned the Mustang Panda actor leveraged the mechanism to ship malware, carry out reconnaissance, and exfiltrate delicate information. Moreover, the attacker is claimed to have used OpenSSH to execute instructions, switch information, and unfold throughout the community.
That is not all. A better evaluation of the contaminated surroundings has revealed a second cluster of exercise “occurring concurrently and at occasions even on the identical endpoints” that utilized the ShadowPad malware, a modular backdoor extensively shared by Chinese language espionage teams.
It is at present unclear if these two intrusion units are associated to 1 one other, or if two completely different teams are “piggybacking on one another’s entry.”
“Primarily based on the forensic proof and timeline, one might conclude that these two clusters originated from the identical menace actor (Stately Taurus),” Fakterman mentioned. “Nevertheless, there may very well be different potential explanations that may account for this connection, corresponding to a collaborative effort between two Chinese language APT menace actors.”
