Sep 09, 2024Ravie Lakshmanan
Cyber Espionage / Malware
The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.
“This threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a “relatively new technique” that was first demonstrated in September 2023 by Truvis Thornton.
The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.
Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South
China Sea countries.
The latest observed attack sequence is notable for its abuse of Visual Studio Code’s reverse shell to execute arbitrary code and deliver additional payloads.
Once this step is complete, the attacker is redirected to a Visual Studio Code web environment that’s connected to the infected machine, allowing them to run commands or create new files.
That’s not all. A closer analysis of the infected environment has revealed a second cluster of activity “occurring simultaneously and at times even on the same endpoints” that utilized the ShadowPad malware, a modular backdoor widely shared by Chinese espionage groups.
It’s currently unclear if these two intrusion sets are related to one another, or if two different groups are “piggybacking on each other’s access.”
“Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus),” Fakterman said. “However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors.”