Mustang Panda, a well-known Chinese advanced persistent threat (APT) group, has been identified as the likely perpetrator behind a sophisticated cyber-espionage campaign. This ongoing campaign begins with a malicious email and utilizes Visual Studio Code (VS Code) to distribute Python-based malware, providing unauthorized remote access to compromised machines.
The researchers at Cyble Research and Intelligence Lab (CRIL) uncovered this campaign, which involves the dissemination of an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, this file is used to execute a malicious Python script. The attackers rely on VS Code to carry out their activities, deploying it through the installation of the VS Code command line interface (CLI) if it is not already present on the targeted machine, as documented in an analysis published on Oct. 2.
According to a blog post describing the attack, “The [threat actor (TA)] leverages a [VS Code] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine.” This unauthorized access enables the attackers to interact with the system, access files, and conduct further malicious actions, such as data exfiltration and the delivery of additional malware.
While the precise attribution of the attack remains unclear, the researchers observed Chinese-language elements and identified tactics, techniques, and procedures (TTPs) that align with the operations of the Chinese APT group known as Mustang Panda, also recognized by aliases including Stately Taurus, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.
The attack commences with the execution of the .lnk file, which displays a false “successful installation” message in Chinese while secretly downloading additional components in the background. One of these components is a Python distribution package that eventually downloads a malicious script intended to check for the presence of VS Code on the system and download the VS Code CLI from a Microsoft source if it is not found.
Subsequently, the script establishes a task to ensure the persistence of its malicious activities, including the creation of a remote tunnel to facilitate attacker access to the compromised machine. The attackers utilize VS Code Remote-Tunnels for this purpose, enabling them to connect to the infected machine remotely through a secure tunnel without the use of SSH.
In a strategic move, the attackers leverage GitHub, a legitimate developer repository, to access files on the infected machine. During the configuration of the remote tunnel, the script automatically links it to a GitHub account for authentication, extracting an activation code for future malicious operations.
The malware also collects information such as the list of running processes on the victim’s machine, system language settings, geographical location, computer name, user name, user domain, user privileges, and folder names from various directories. Once this data is exfiltrated to the command-and-control (C2) server, the attackers can utilize a GitHub account for remote access to the compromised device by entering an alphanumeric activation code.
As highlighted in the post, this level of access grants the attackers the ability to navigate through the victim’s files, execute commands via the terminal, install malware, extract sensitive information, and modify system settings, potentially leading to further exploitation of the victim’s system and data.
At the time of Cyble’s research publication, the malicious Python script used in the attack had no detections on VirusTotal, making it challenging for defenders to identify through standard security tools. To defend against such sophisticated APT attacks like those orchestrated by Mustang Panda, Cyble recommends that organizations implement advanced endpoint protection solutions with behavioral analysis and machine-learning capabilities to detect and prevent suspicious activities, even involving legitimate applications like VS Code.
Furthermore, organizations should regularly review scheduled tasks on all systems to uncover unauthorized or unusual entries established by threat actors for persistence. It is also crucial to conduct training sessions to educate users about the risks associated with opening suspicious files or links, particularly those involving .lnk files and unknown sources. Additionally, organizations should restrict user permissions to install software, especially vulnerable tools like VS Code, and employ application whitelisting to regulate the installation and execution of applications on systems.