Cyber security news for all

More

    Chinese Cyber Operatives Exploit Visual Studio Code in Southeast Asian Cyberattacks

    The notorious China-affiliated advanced persistent threat (APT) group, Mustang Panda, has been documented weaponizing Visual Studio Code as part of an espionage effort aimed at governmental bodies in Southeast Asia.

    According to Tom Fakterman, a researcher with Palo Alto Networks’ Unit 42, “This group employed Visual Studio Code’s built-in reverse shell feature to establish a stronghold within targeted networks.” Fakterman characterized it as a “relatively new strategy” first showcased by Truvis Thornton in September 2023.

    This campaign appears to be a continuation of an earlier attack against an unnamed Southeast Asian government, which occurred in late September 2023.

    Mustang Panda—also identified by aliases such as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich—has been active since 2012, conducting extensive cyber espionage against both government and religious organizations across Europe and Asia, with a particular focus on countries surrounding the South China Sea.

    The most recent offensive stands out due to its exploitation of Visual Studio Code’s reverse shell capabilities, enabling the execution of arbitrary code and the delivery of supplementary payloads.

    “As part of this nefarious operation, attackers may leverage either the portable version of code.exe, or an already installed variant,” Fakterman explained. “By initiating the command code.exe tunnel, attackers obtain a link that prompts them to log into GitHub using their own credentials.”

    After completing this login step, the adversary is redirected to a Visual Studio Code web interface, which is tethered to the compromised machine, granting them the ability to run commands or generate new files.

    This malicious method had previously been flagged by Dutch cybersecurity firm mnemonic in connection with a zero-day exploit targeting Check Point’s Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier in the year.

    Unit 42 noted that Mustang Panda used this mechanism to deploy malware, conduct reconnaissance, and siphon sensitive data. Additionally, the adversary employed OpenSSH to execute commands, move files, and propagate across the compromised network.

    Further scrutiny of the compromised environment revealed an additional cluster of malicious activity, occurring simultaneously and sometimes on the same endpoints. This secondary wave utilized the ShadowPad malware, a modular backdoor commonly deployed by Chinese cyber espionage groups.

    At present, it remains ambiguous whether these two incursion sets are linked or if separate groups are leveraging each other’s network access.

    “Judging by the forensic data and timing, one might infer that these two clusters stem from the same actor, potentially Stately Taurus,” Fakterman remarked. “However, alternative theories, such as a collaboration between multiple Chinese APT groups, cannot be ruled out.”

    Recent Articles

    Related Stories