Back

Chinese APT Abuses VSCode to Target Government in Asia

Sept. 9, 2024, 9:51 a.m.

Tags

apt
exfiltration
cyberespionage
shadowpad
poisonplug.shadow
toneshell
2024-09-09
credentialtheft
reverseshell
visualstudiocode

External References

https://unit42.paloaltonetworks.com/

https://otx.alienvault.com/

Description

The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain initial access and deliver additional malware payloads. This represents the first observed instance of threat actors exploiting this vulnerability. The campaign exhibits strong connections to a previous Stately Taurus operation through shared tactics, techniques, procedures (TTPs), timelines, and victimology. Furthermore, the report examines a potential link between the Stately Taurus activity and a separate cluster involving the ShadowPad backdoor within the same targeted environment.

Date

Published Created Modified
Sept. 9, 2024, 9:05 a.m. Sept. 9, 2024, 9:05 a.m. Sept. 9, 2024, 9:51 a.m.

Indicators

fb0c4db0011ee19742d7d8bd0558d8ee8be2ef23c4c61a3e80a34fba6c96f3ff

cca63c929f2f59894ea2204408f67fc1bff774bb7164fde7f42d0111df9461bd

bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6

acedfe9c662c2666787cbbf8d3a0225863bab2c239777594b003381244ed81ba

ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31

aa2c0de121ae738ce44727456d97434faff21fc69219e964e1e2d2f1ca16b1c5

965dd0b255f05ff012d2f152e973e09ceb9e95b6239dc820c8ac4d4492255472

8fdac78183ff18de0c07b10e8d787326691d7fb1f63b3383471312b74918c39f

5bfc45f7fce27d05e753a61dde5fab623efff3e4df56fb6a0cf178a0b11909ce

506fc87c8c96fef1d2df24b0ba44c8116a9001ca5a7d7e9c01dc3940a664acb0

456e4dae82a12bcda0506a750eac93bf79cc056b8aad09ec74878c90fd67bd8f

440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1

3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

39ceb73bcfd1f674a9b72a03476a9de997867353172c2bf6dde981c5b3ad512a

0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184

216.83.40.84

185.132.125.72

Attack Patterns

POISONPLUG.SHADOW

ShadowPad - S0596

ToneShell

Stately Taurus

T1021.002

T1021.004

T1087.001

T1003.002

T1003.001

T1569.002

T1543.003

T1135

T1087.002

T1218.011

T1027.002

T1018

T1059.003

T1059.001

T1057

T1033

T1027

Additional Informations

Government