According to the researchers, the threat actor abuses Visual Studio Code's portable version or an existing installation by running the command code.exe tunnel to execute the attack. This grants the attacker access to a Visual Studio Code web environment connected to the compromised machine, enabling them to run commands, create files, and further infiltrate the network. The campaign is seen as a continuation of previous activity targeting Southeast Asian government entities in late September 2023 indicating sustained efforts by the group to breach sensitive networks in the region.

The malicious use of this technique was highlighted earlier in the year by a Dutch cybersecurity firm in connection with the exploitation of a zero-day vulnerability (CVE-2024-24919) in Check Point’s Network Security gateway products. Mustang Panda has leveraged this method to deliver malware, conduct reconnaissance, and exfiltrate sensitive data, further utilizing OpenSSH to execute commands transfer files, and spread laterally across the network.

Interestingly, the investigation also revealed a parallel cluster of activity involving ShadowPad malware, a sophisticated backdoor shared among Chinese espionage groups. While it remains unclear whether these two intrusion sets are directly connected forensic evidence suggests they might be from the same threat actor potentially indicating collaboration between different Chinese APT groups.

Impact

• Information Theft
• Cyber Espionage
• Security Bypass
• Code Execution

Indicators of Compromise

IP

• 216.83.40.84
• 185.132.125.72

MD5

• 4fa897798a9028ea4f8dad8f8da5dc63
• 37b041aac5620b9639046e346deeea78
• 247be14926f2e34a20e8fb0e7540b6c0
• 6b30b76d19343a29e2107bceaa54b387
• 57eb74203efdfc987cb922b897db0c38

SHA-256

• 0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184
• bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6
• ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31
• 440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1
• cca63c929f2f59894ea2204408f67fc1bff774bb7164fde7f42d0111df9461bd

SHA-1

• e7782ed481ae173fffa006cab49fa43c39e1abfa
• 7e8c1086934e2a5c0ba7b34360d8f281136cbfb0
• 4c61ef03b5e082ebd50578202cae37912b8bd247
• aaad761ebbc48175aed9325694abd05d984bd506
• a8385f59dec3919bf017c51bd8bdc899ad3ce95f

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.