Cyber threats targeting South East Asia emanating from the Mustang Panda APT group affiliated to China has been identified. Mustang Panda, which has been active since 2015 and has conducted cyber espionage on targets in Europe and Asia, has been noticed over the last few weeks using Visual Studio Code, a software development tool preferred by Microsoft’s users, to target the governments in the said region.
In a report from Palo Alto Networks’ Unit 42, the group has learned how to make full use of Reverse Shell within visual studio code within a build process so as to penetrate the systems of its targets. This technique was shown in September of 2023, and enables the attacker to run commands and download more malware. The campaign is further believed to be the extension of similar attacks directed at Southeast Asian government entities.
This group which is also known as BASIN, RedDelta and Earth Preta has been in existence since the year 2012. Unfortunately the recent activity of the group is to exploit features of Visual Studio Code to gain access to the web environment of the software. After gaining a connection, the attackers are able to run commands and create new files together with enhancing espionage processes.
The attack that involves the use of Visual Studio Code also forms part of the overall objective of Mustang Panda where the group uses OpenSSH to carry out reconnaissance, steal data and transfer them, and achieve lateral movement in a network. Further, the transmission of the campaign has been observed to employ ShadowPad malware, a modular backdoor linked with Chinese espionage collectives.
The situation is made even more complicated due to the observed crossover of the activities with another potential Chinese APT group, which makes the researchers to question whether there is cooperation or one group is leveraging the other’s foothold. While Southeast Asian governments try to strengthen their protection against cyber threats, activities of such groups as Mustang Panda serve as the indication of the continuous threat of the state-sponsored cyber espionage.