Chinese APT Abuses VSCode to Target Government in Asia

    Monday, September 9, 2024 In: Threat Research Print

    Date: 09/09/2024

    Severity: High

    Summary

    Unit 42 researchers have discovered that the Chinese APT group Stately Taurus exploited Visual Studio Code for espionage against Southeast Asian governments. They used the software’s reverse shell feature, a novel technique identified in 2023, marking its first known use in the wild. This campaign is likely a continuation of a prior operation linked to Stately Taurus, based on their tactics, timeline, and targets.

    Indicators of Compromise (IOC) List

    IP Address

    216.83.40.84

    185.132.125.72

    Hash

    cca63c929f2f59894ea2204408f67fc1bff774bb7164fde7f42d0111df9461bd

3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05

ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31

bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6

440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1

acedfe9c662c2666787cbbf8d3a0225863bab2c239777594b003381244ed81ba

0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184

fb0c4db0011ee19742d7d8bd0558d8ee8be2ef23c4c61a3e80a34fba6c96f3ff

    Service Names

    WindowsMailServices

    test12

    WindowsEdgeUpdateServices

    WindowsMailServices

    Javaservice

    WindowsEdgeUpdateServices

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("216.83.40.84","185.132.125.72") or ipaddress IN ("216.83.40.84","185.132.125.72") or publicipaddress IN ("216.83.40.84","185.132.125.72") or srcipaddress IN ("216.83.40.84","185.132.125.72")

    Detection Query 2

    sha256hash IN ("cca63c929f2f59894ea2204408f67fc1bff774bb7164fde7f42d0111df9461bd","3cc5ee93a9ba1fc57389705283b760c8bd61f35e9398bbfa3210e2becf6d4b05","ac34e1fb4288f8ad996b821c89b8cd82a61ed02f629b60fff9eb050aaf49fc31","bdadcd2842ed7ba8a21df7910a0acc15f8b0ca9d0b91bebb49f09a906ae217e6","440e7bce4760b367b46754a70f480941a38cd6cd4c00c56bbaeb80b9c149afb1","acedfe9c662c2666787cbbf8d3a0225863bab2c239777594b003381244ed81ba","0f11b6dd8ff972a2f8cb7798b1a0a8cd10afadcea201541c93ef0ab9b141c184","fb0c4db0011ee19742d7d8bd0558d8ee8be2ef23c4c61a3e80a34fba6c96f3ff")

    Detection Query 3

    (resourcename = "Windows Security"  and eventtype = "4697"  ) AND rawmessages  In ("WindowsMailServices" , "test12" , "WindowsEdgeUpdateServices" , "WindowsMailServices" , "Javaservice" , "WindowsEdgeUpdateServices")

    Detection Query 4


    (Technologygroup = "EDR" ) AND winmessage IN ("WindowsMailServices" , "test12" , "WindowsEdgeUpdateServices" , "WindowsMailServices" , "Javaservice" , "WindowsEdgeUpdateServices")

    Reference:

    https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/ 


    Tags

    MalwareAPT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.