"The [threat actor (TA)] leverages a [VS Code] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble. To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware. At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. "This enables users to [remotely] access the machine from any [VS Code] client without the need for SSH," according to the post. The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 02 Oct 2024 15:25:08 +0000