Chinese APT Abuses VSCode to Target Government in Asia
Sept. 9, 2024, 9:51 a.m.
Tags
External References
Description
The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain initial access and deliver additional malware payloads. This represents the first observed instance of threat actors exploiting this vulnerability. The campaign exhibits strong connections to a previous Stately Taurus operation through shared tactics, techniques, procedures (TTPs), timelines, and victimology. Furthermore, the report examines a potential link between the Stately Taurus activity and a separate cluster involving the ShadowPad backdoor within the same targeted environment.
Date
Published: Sept. 9, 2024, 9:05 a.m.
Created: Sept. 9, 2024, 9:05 a.m.
Modified: Sept. 9, 2024, 9:51 a.m.
Indicators
fb0c4db0011ee19742d7d8bd0558d8ee8be2ef23c4c61a3e80a34fba6c96f3ff
cca63c929f2f59894ea2204408f67fc1bff774bb7164fde7f42d0111df9461bd
bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6
acedfe9c662c2666787cbbf8d3a0225863bab2c239777594b003381244ed81ba
ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31
aa2c0de121ae738ce44727456d97434faff21fc69219e964e1e2d2f1ca16b1c5
965dd0b255f05ff012d2f152e973e09ceb9e95b6239dc820c8ac4d4492255472
8fdac78183ff18de0c07b10e8d787326691d7fb1f63b3383471312b74918c39f
5bfc45f7fce27d05e753a61dde5fab623efff3e4df56fb6a0cf178a0b11909ce
506fc87c8c96fef1d2df24b0ba44c8116a9001ca5a7d7e9c01dc3940a664acb0
456e4dae82a12bcda0506a750eac93bf79cc056b8aad09ec74878c90fd67bd8f
440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1
3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05
39ceb73bcfd1f674a9b72a03476a9de997867353172c2bf6dde981c5b3ad512a
0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184
216.83.40.84
185.132.125.72
Attack Patterns
POISONPLUG.SHADOW
ShadowPad - S0596
ToneShell
Stately Taurus
T1021.002
T1021.004
T1087.001
T1003.002
T1003.001
T1569.002
T1543.003
T1135
T1087.002
T1218.011
T1027.002
T1018
T1059.003
T1059.001
T1057
T1033
T1027
Additional Informations
Government