Chinese hackers, specifically the Mustang Panda group, have been found exploiting Visual Studio Code in a series of cyberattacks targeting government entities in Southeast Asia. This new technique leverages the software's embedded reverse shell feature to gain unauthorized access and execute malicious activities.
Key Takeaways
Mustang Panda, a China-linked APT group, is behind the attacks.
Visual Studio Code's reverse shell feature is being weaponized.
The campaign targets government entities in Southeast Asia.
The attacks involve malware delivery, reconnaissance, and data exfiltration.
ShadowPad malware is also being used in the attacks.
Background on Mustang Panda
Mustang Panda, also known by various other names such as BASIN, Bronze President, and RedDelta, has been active since 2012. The group is notorious for its cyber espionage campaigns, primarily targeting government and religious entities across Europe and Asia, with a particular focus on countries in the South China Sea region.
The Attack Methodology
The latest attack sequence is notable for its abuse of Visual Studio Code's reverse shell feature. This technique allows attackers to execute arbitrary code and deliver additional payloads. The process involves using the portable version of code.exe or an already installed version of Visual Studio Code. By running the command , attackers receive a link that requires them to log into GitHub with their own account. Once logged in, they are redirected to a Visual Studio Code web environment connected to the infected machine, enabling them to run commands or create new files.
Broader Implications
This method of attack was previously highlighted by a Dutch cybersecurity firm in connection with a zero-day vulnerability in Check Point's Network Security gateway products. The Mustang Panda group has leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Additionally, they have used OpenSSH to execute commands, transfer files, and spread across the network.
ShadowPad Malware Involvement
A closer analysis of the infected environment revealed a second cluster of activity involving the ShadowPad malware, a modular backdoor widely used by Chinese espionage groups. It remains unclear if these two intrusion sets are related or if different groups are piggybacking on each other's access. Forensic evidence suggests that these clusters may originate from the same threat actor, possibly indicating a collaborative effort between two Chinese APT groups.
The exploitation of Visual Studio Code by Mustang Panda underscores the evolving tactics of cyber espionage groups. As these threat actors continue to innovate, it is crucial for organizations to stay vigilant and adopt robust cybersecurity measures to protect their networks and sensitive information.
In today's digital age, protecting your business from cyber threats is more important than ever. BetterWorld Technology's cybersecurity experts are dedicated to safeguarding your data and infrastructure with comprehensive, tailored solutions. Whether you need proactive monitoring, threat assessment, or incident response, we have the expertise to keep your business secure. Book a consultation with us now and take the first step toward fortifying your cybersecurity defenses with BetterWorld Technology.
Sources
Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks, The Hacker News.