The China-linked superior persistent menace (APT) group often called Mustang Panda has been noticed weaponizing Visible Studio Code software program as a part of espionage operations concentrating on authorities entities in Southeast Asia.
“This menace actor used Visible Studio Code’s embedded reverse shell characteristic to realize a foothold in goal networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman mentioned in a report, describing it as a “comparatively new method” that was first demonstrated in September 2023 by Truvis Thornton.
The marketing campaign is assessed to be a continuation of a beforehand documented assault exercise geared toward an unnamed Southeast Asian authorities entity in late September 2023.
Mustang Panda, additionally recognized by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Purple Lich, has been operational since 2012, routinely conducting cyber espionage campaigns concentrating on authorities and non secular entities throughout Europe and Asia, significantly these situated in South China Sea nations.
The newest noticed assault sequence is notable for its abuse of Visible Studio Code’s reverse shell to execute arbitrary code and ship extra payloads.
“To abuse Visible Studio Code for malicious functions, an attacker can use the moveable model of code.exe (the executable file for Visible Studio Code), or an already put in model of the software program,” Fakterman famous. “By operating the command code.exe tunnel, an attacker receives a hyperlink that requires them to log into GitHub with their very own account.”
As soon as this step is full, the attacker is redirected to a Visible Studio Code net atmosphere that is linked to the contaminated machine, permitting them to run instructions or create new recordsdata.
It is price stating that the malicious use of this system was beforehand highlighted by Dutch cybersecurity agency mnemonic in reference to zero-day exploitation of a vulnerability in Test Level’s Community Safety gateway merchandise (CVE-2024-24919, CVSS rating: 8.6) earlier this 12 months.
Unit 42 mentioned the Mustang Panda actor leveraged the mechanism to ship malware, carry out reconnaissance, and exfiltrate delicate information. Moreover, the attacker is claimed to have used OpenSSH to execute instructions, switch recordsdata, and unfold throughout the community.
That is not all. A better evaluation of the contaminated atmosphere has revealed a second cluster of exercise “occurring concurrently and at instances even on the identical endpoints” that utilized the ShadowPad malware, a modular backdoor broadly shared by Chinese language espionage teams.
It is presently unclear if these two intrusion units are associated to 1 one other, or if two totally different teams are “piggybacking on one another’s entry.”
“Based mostly on the forensic proof and timeline, one may conclude that these two clusters originated from the identical menace actor (Stately Taurus),” Fakterman mentioned. “Nonetheless, there might be different attainable explanations that may account for this connection, akin to a collaborative effort between two Chinese language APT menace actors.”