Chinese APT Exploits Visual Studio Code to Target Southeast Asian Governments
On September 6, 2024, Unit 42 researchers released a report detailing a new cyber espionage campaign by the Chinese Advanced Persistent Threat (APT) group known as "Stately Taurus."
Introduction
On September 6, 2024, Unit 42 researchers released a report detailing a new cyber espionage campaign by the Chinese Advanced Persistent Threat (APT) group known as "Stately Taurus." This group, active since 2012, was found abusing Visual Studio Code (VSCode) to gain unauthorized access to government networks in Southeast Asia. The espionage campaign marks the first instance of VSCode being leveraged for malicious purposes in the wild.
Report Overview
Stately Taurus, known by several aliases including Mustang Panda and RedDelta, has long targeted governmental organizations, religious groups, and non-governmental organizations in Europe and Asia. The group uses sophisticated techniques to gain footholds in sensitive networks, exfiltrate data, and maintain persistence.
Unit 42 researchers first observed this group using VSCode to launch attacks, building on a technique discovered in 2023 by security researcher Truvis Thornton. Although this method was publicly disclosed last year, Stately Taurus appears to be the first group using this method operationally.
Stately, Taurus's method begins with abusing VSCode's embedded reverse shell feature. The attackers either installed a portable software version or exploited an existing installation. Using VSCode's command line, they executed the code.exe tunnel command to generate a reverse shell linked to a GitHub account they controlled. By gaining access to the target machine through this tunnel, the attackers could execute commands, transfer files, and establish persistence via a scheduled task that ensured the continued execution of their malicious script, startcode.bat.
The attackers also utilized other known tools, including sshd.exe for lateral movement within the network and rar.exe to compress and exfiltrate sensitive files to Dropbox. This technique enabled the attackers to blend their activities into regular network traffic, complicating detection efforts.
This campaign overlaps with a previously reported espionage operation involving Stately Taurus. In that operation, the group used the ToneShell backdoor to archive files for exfiltration, using a distinct 13-character password. Unit 42 researchers discovered the same password being used in this new campaign, along with a similar set of Tactics, Techniques, and Procedures (TTPs), suggesting the two campaigns are part of a continuous effort by the group to target government entities in Southeast Asia.
While investigating the Stately Taurus campaign, Unit 42 uncovered another cluster of activity involving the ShadowPad backdoor. ShadowPad, a modular malware used by various Chinese threat groups since 2017, was operating in the same environment and on the same machines as the Stately Taurus attacks.
The connection between these two clusters remains unclear. Although both sets of activity occurred on the same endpoints and used similar techniques—such as batch files and DLL sideloading—Unit 42 could not definitively conclude whether this was a collaborative effort between two APT groups or simply one group piggybacking on the other's access.
Insights and Analysis
The consequences of this operation are severe, as the group has successfully targeted sensitive government data, including critical internal communications and classified information. By using legitimate tools such as VSCode and Dropbox for exfiltration, Stately Taurus has managed to evade traditional detection methods. Blending malicious activity with legitimate traffic poses a serious challenge to organizations attempting to defend their networks.
Organizations using Visual Studio Code should be vigilant and consider monitoring for abnormal usage patterns of code.exe in their environments. Scheduled tasks and reverse shells created through VSCode should be reviewed and monitored closely.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 506fc87c8c96fef1d2df24b0ba44c8116a9001ca5a7d7e9c01dc3940a664acb0 | File Hash (SHA-256) | SharpNBTScan malware |
| aa2c0de121ae738ce44727456d97434faff21fc69219e964e1e2d2f1ca16b1c5 | File Hash (SHA-256) | Batch file used by Stately Taurus |
| 216.83.40[.]84 | IP Address | Command and Control (C2) server for ShadowPad |
| ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31 | File Hash (SHA-256) | Mimikatz credential harvesting tool |
MITRE ATT&CK TTPs
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Stately Taurus used code.exe to execute commands on target systems |
| Persistence | Scheduled Task/Job | T1053.005 | Used a scheduled task to maintain persistence with startcode.bat |
| Lateral Movement | Remote Services: SSH | T1021.004 | Stately Taurus used sshd.exe to move laterally across networks |
| Collection | Archive Collected Data | T1560 | The group used rar.exe to compress and archive data for exfiltration |
| Exfiltration | Exfiltration Over Web Service | T1567.002 | Data was exfiltrated using Dropbox, a legitimate web service |
References
Tom Fakterman
Comments ()