Python-Based Malware Slithers Into Systems via Legit VS Code

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The [threat actor (TA)] leverages a [VS Code] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

Mission: To Gain Unauthorized Access

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to [remotely] access the machine from any [VS Code] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

APT Defense Requires Cyber Vigilance

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.