Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks

The China-linked advanced persistent threat (APT) organization known as Mustang Panda has been detected weaponizing Visual Studio Code software as part of espionage operations targeting government agencies in Southeast Asia.

"This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman stated in a paper, characterizing it as a "relatively new technique" that was originally presented in September 2023 by Truvis Thornton.

The campaign is evaluated to be a continuation of a previously reported offensive activity targeted against an unspecified Southeast Asian government organization in late September 2023.

Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South China Sea countries.

The latest discovered attack sequence is significant for its misuse of Visual Studio Code's reverse shell to execute arbitrary code and deliver additional payloads.

"To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software," Fakterman stated. "By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account."

Once this stage is complete, the attacker is sent to a Visual Studio Code online environment that's linked to the infected PC, enabling them to perform commands or create new files.

It's worth pointing out that the malicious use of this technique was previously highlighted by Dutch cybersecurity firm mnemonic in connection with zero-day exploitation of a now-patched vulnerability in Check Point's Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.

Unit 42 stated the Mustang Panda attacker utilized the method to transmit malware, undertake reconnaissance, and exfiltrate sensitive data. Furthermore, the attacker is believed to have utilized OpenSSH to execute commands, transfer data, and propagate throughout the network.

That's not everything. A thorough study of the affected environment has found a second cluster of activity "occurring simultaneously and at times even on the same endpoints" that exploited the ShadowPad malware, a modular backdoor frequently shared by Chinese espionage outfits.

It's still unknown whether these two incursion sets are tied to one another, or if two distinct organizations are "piggybacking on each other's access."

"Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus)," Fakterman added. "However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors."