The China-linked Advanced Persistent Threat Group (APT), known as Mustang Panda was seen using Visual Studio Code software as a weapon in espionage operations targeting government entities in Southeast Asia.
“This threat actor used the built-in reverse shell functionality of Visual Studio Code to gain a foothold in the target networks,” said Tom Factorman, a researcher at Division 42 of Palo Alto Networks. said in the report, describing it as a “relatively new technique” that was demonstrated for the first time in September 2023 by Truvis Thornton.
The company is valued as a continuation of a previously documented attack targeting an unnamed Southeast Asian government entity in late September 2023.
Mustang Pandaalso known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta and Red Lich, has been active since 2012 conducting regular cyber espionage campaigns against government and religious organizations across Europe and Asia, particularly those based in Countries of the South China Sea.
The latest observed attack sequence exploits a Visual Studio Code back-shell to execute arbitrary code and deliver additional payloads.
“To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (executable file for Visual Studio Code) or an already installed version of the software,” noted Factorman. “By running the code.exe command tunnel, an attacker receives a link that requires them to log in to GitHub with their account.”
After completing this step, the attacker is redirected to the Visual Studio Code web environment that is connected to the infected machine, allowing them to run commands or create new files.
It should be noted that there have been malicious uses of this technique highlighted earlier mnemonic of the Dutch cybersecurity firm for exploiting a zero-day vulnerability in Check Point’s network security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.
Unit 42 said actor Mustang Panda used the engine to deliver malware, conduct reconnaissance and steal sensitive data. In addition, the attacker is said to have used OpenSSH to execute commands, transfer files and spread across the network.
That’s not all. Closer analysis of the infected environment revealed a second cluster of activity that “occurs simultaneously and sometimes even on the same endpoints” that uses ShadowPad malware, a modular backdoor, widely distributed by Chinese espionage groups.
It is currently unclear whether the two sets of intrusions are related to each other or if two different groups are “mutually accessing each other.”
“Based on the forensic data and the graphics, it was possible to conclude that these two clusters came from the same threat entity (Big Taurus),” Factorman said. “However, there may be other possible explanations for this link, such as a joint effort between two Chinese APT threat actors.”