The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.
“This threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a “relatively new technique” that was first demonstrated in September 2023 by Truvis Thornton.
The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.
Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South China Sea countries.
The latest observed attack sequence is notable for its abuse of Visual Studio Code’s reverse shell to execute arbitrary code and deliver additional payloads.
“To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software,” Fakterman noted. “By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account.”
Once this step is complete, the attacker is redirected to a Visual Studio Code web environment that’s connected to the infected machine, allowing them to run commands or create new files.
It’s worth pointing out that the malicious use of this technique was previously highlighted by Dutch cybersecurity firm mnemonic in connection with zero-day exploitation of a vulnerability in Check Point’s Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.
Unit 42 said the Mustang Panda actor leveraged the mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Furthermore, the attacker is said to have used OpenSSH to execute commands, transfer files, and spread across the network.
That’s not all. A closer analysis of the infected environment has revealed a second cluster of activity “occurring simultaneously and at times even on the same endpoints” that utilized the ShadowPad malware, a modular backdoor widely shared by Chinese espionage groups.
It’s currently unclear if these two intrusion sets are related to one another, or if two different groups are “piggybacking on each other’s access.”
“Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus),” Fakterman said. “However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors.”
