Chinese Cybercriminals Exploit Visual Studio Code in Hacking Activities Across Southeast Asia
An APT group connected to China, identified as Mustang Panda, has been seen exploiting Visual Studio Code software in espionage campaigns aimed at governmental organizations in Southeast Asia.
“The actors from this threat group utilized Visual Studio Code’s built-in reverse shell functionality to establish a presence in the targeted networks,” as per a report by Palo Alto Networks Unit 42 researcher Tom Fakterman noted. The researcher characterized this as a “fairly recent method” that was initially showcased in September 2023 by Truvis Thornton.
This campaign is believed to be a continuation of a previously reported attack on an unspecified Southeast Asian government entity in late September 2023.
Mustang Panda, which is also known by aliases such as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been active since 2012, frequently carrying out cyber espionage operations against governmental and religious entities in Europe and Asia, especially those situated in countries bordering the South China Sea.
The recent attack scenario is noteworthy for its exploitation of Visual Studio Code’s reverse shell for the execution of malicious code and delivery of additional payloads.
“To misuse Visual Studio Code for malicious ends, an attacker can utilize the standalone version of code.exe (the program file for Visual Studio Code), or an already installed edition of the software,” Fakterman explained. “By running the command code.exe tunnel, an attacker is provided with a link that prompts them to sign in to GitHub with their own account.”
Upon completion of this process, the attacker is directed to a Visual Studio Code web interface linked to the compromised system, enabling them to issue commands or create new files.
Importantly, the misuse of this technique was previously highlighted by a Dutch cybersecurity company mnemonic in correlation with the exploitation of a zero-day vulnerability in Check Point’s Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.
Unit 42 mentioned that the Mustang Panda perpetrator leveraged this method to distribute malware, execute reconnaissance operations, and extract sensitive information. Additionally, the attacker is known to have utilized OpenSSH to send commands, transfer files, and propagate laterally within the network.
This is not the end of the story. An in-depth examination of the compromised environment has unveiled a separate set of activities “happening concurrently and sometimes even on the same devices” employing the ShadowPad malware, a versatile backdoor widely utilized by Chinese cyber espionage outfits.
At present, it remains uncertain if these two breach instances are linked or if distinct groups are “taking advantage of each other’s access.”
“Considering the forensic data and timeline, one might infer that these two clusters originated from the same threat actor (Stately Taurus),” Fakterman stated. “However, alternative explanations exist that could explain this correlation, like potential collaboration between two Chinese APT threat actors.”
About Author
