Exploits Visual Studio Code in Southeast Asian Government Cyberattack
The advanced persistent threat (APT) group known as Mustang Panda, also referred to by names such as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has recently been observed weaponizing Visual Studio Code (VSCode) as part of a sophisticated espionage campaign targeting government entities in Southeast Asia. This marks a notable evolution in their tactics, showcasing a relatively new technique first demonstrated in September 2023 by security researcher Truvis Thornton.
Report Overview
Mustang Panda, active since 2012, has a long history of cyber espionage, focusing on governmental and religious organizations across Europe and Asia, particularly in South China Sea countries. The group's latest campaign leverages VSCode's embedded reverse shell feature to gain unauthorized access to target networks. This approach is a continuation of previous attacks, including one aimed at an unnamed Southeast Asian government entity in late September 2023.
According to Palo Alto Networks Unit 42 researcher Tom Fakterman, the attackers exploited VSCode's reverse shell functionality to execute arbitrary code and deliver additional payloads. "To abuse Visual Studio Code for malicious purposes, an attacker can use either a portable version of code.exe or an already installed version of the software," Fakterman explained. By running the command code.exe tunnel, attackers generate a link that requires GitHub authentication, which, once completed, redirects them to a VSCode web environment connected to the infected machine. This setup allows them to execute commands, create files, and maintain access.
Technical Details
The campaign demonstrated Mustang Panda's adept use of VSCode's reverse shell to facilitate a range of malicious activities. The attackers have employed this technique to perform reconnaissance, deliver malware, and exfiltrate sensitive data. They have also used OpenSSH for executing commands, transferring files, and expanding their presence within the network. Additionally, Unit 42 observed that the attackers used sshd.exe for lateral movement and rar.exe to compress and exfiltrate data to Dropbox, blending their activities with normal network traffic to evade detection.
Notably, this malicious use of VSCode aligns with similar exploitation techniques previously highlighted by Dutch cybersecurity firm mnemonic, which reported a zero-day vulnerability in Check Point's Network Security gateway products (CVE-2024-24919) earlier this year.
Analysis
The consequences of Mustang Panda's campaign are significant, as they have successfully targeted sensitive government data, including critical communications and classified information. Their use of legitimate tools like VSCode and Dropbox for data exfiltration complicates traditional detection methods, posing a serious challenge for cybersecurity defenses.
Organizations using Visual Studio Code should be particularly vigilant. Monitoring for abnormal usage patterns of code.exe, scrutinizing scheduled tasks, and reviewing reverse shells created through VSCode are essential measures for detecting and mitigating such advanced threats. As this campaign demonstrates, threat actors continue to innovate, blending malicious activity with legitimate tools to evade detection and achieve their objectives.
No comments:
Post a Comment