Attacks exploiting Visual Studio Code software for initial network compromise have been deployed by Chinese advanced persistent threat operation Mustang Panda against Southeast Asian government organizations, reports The Hacker News.
Mustang Panda — also known as Earth Preta, Camaro Dragon, HoneyMyte, RedDelta, Bronze President, Red Lich, and BASIN — leveraged the embedded reverse shell functionality of Visual Studio Code to facilitate command execution, file creation, and malware distribution, as well as reconnaissance and data exfiltration activities, an analysis from Palo Alto Networks Unit 42 revealed. Additional command execution and network dissemination have also been enabled by the utilization of OpenSSH, according to researchers, who also observed another activity cluster involving the ShadowPad malware targeted at similar endpoints. "Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus). However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors," said researcher Tom Fakterman.