Chinese APT Group Mustang Panda Exploits Visual Studio Code in Southeast Asian Cyberattacks

September 9, 2024

Mustang Panda, a China-linked advanced persistent threat (APT) group, has been found to be using Visual Studio Code software in its cyberattacks against government entities in Southeast Asia. According to a report by Tom Fakterman, a researcher at Palo Alto Networks' Unit 42, the threat actor has exploited Visual Studio Code's reverse shell feature to infiltrate target networks. This is a relatively new technique, first demonstrated in September 2023.

The campaign is believed to be a continuation of previous attack activities targeting an unnamed Southeast Asian government entity in late September 2023. Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been active since 2012, regularly conducting cyber espionage campaigns against government and religious entities in Europe and Asia, especially in South China Sea countries.

The recent attack sequence is significant due to its misuse of Visual Studio Code's reverse shell to execute arbitrary code and deliver additional payloads. Fakterman noted that an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software for malicious purposes. By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account. Once this step is completed, the attacker is redirected to a Visual Studio Code web environment connected to the infected machine, allowing them to run commands or create new files.

It should be noted that the harmful use of this technique was previously highlighted by a Dutch cybersecurity firm mnemonic in relation to zero-day exploitation of a vulnerability in Check Point's Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year. Unit 42 stated that the Mustang Panda actor utilized the mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Additionally, the attacker reportedly used OpenSSH to execute commands, transfer files, and spread across the network.

A detailed analysis of the infected environment revealed a second cluster of activity, occurring simultaneously and sometimes on the same endpoints, that used the ShadowPad malware, a modular backdoor commonly used by Chinese espionage groups. It remains unclear whether these two intrusion sets are related, or if two different groups are exploiting each other's access. Fakterman suggested that based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus). However, there could be other possible explanations, such as a collaborative effort between two Chinese APT threat actors.

Related News

• U.S. Agencies Highlight Ongoing Ransomware Attacks by Iranian Hacking Group
• Iranian Hackers Collaborate with Ransomware Gangs for Extortion
• Surge in Attacks on Check Point VPN Zero-Day Flaw: An Urgent Call for Immediate Action
• Oracle WebLogic Server Vulnerability Under Active Exploitation
• CISA Alerts on Actively Exploited Linux Kernel Vulnerability

Latest News

• SonicWall SSLVPN Vulnerability Exploited in Cyber Attacks: Urgent Call for Patching
• Critical Remote Code Execution Vulnerability Detected in Veeam Backup & Replication Software
• Cisco Addresses Command Injection Vulnerability with Public Exploit Code
• Cisco Addresses Backdoor Admin Account in Smart Licensing Utility
• Cisco Merchandise Store Compromised by Hackers Using Malicious JavaScript