A China-linked advanced persistent threat (APT) group called Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia. The group used the embedded reverse shell feature to gain a foothold in target networks, demonstrating a “relatively new technique” first seen in September 2023.
Mustang Panda, also known by various names, has been operational since 2012 and regularly conducts cyber-espionage campaigns targeting government and religious entities across Europe and Asia. The latest attack sequence is notable for its abuse of Visual Studio Code’s reverse shell to execute arbitrary code and deliver additional payloads.
To exploit this technique, an attacker can use the portable version of code.exe or an already installed version of the software. Once the command “code.exe tunnel” is run, the attacker receives a link requiring them to log into GitHub with their own account. This redirects them to a Visual Studio Code web environment connected to the infected machine, allowing them to run commands or create new files.
The malicious use of this technique was previously highlighted by mnemonic in connection with zero-day exploitation of Check Point’s Network Security gateway products (CVE-2024-24919). Mustang Panda leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. The attacker also used OpenSSH to execute commands, transfer files, and spread across the network.
A closer analysis revealed a second cluster of activity using the ShadowPad malware, a modular backdoor widely shared by Chinese espionage groups. It is unclear if these two intrusion sets are related or if two different groups are “piggybacking on each other’s access.”
Source: https://thehackernews.com/2024/09/chinese-hackers-exploit-visual-studio.html?m=1