The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk.
“The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week.
The tech giant’s cybersecurity division is tracking the cluster under the name Hive0154, which is also broadly referred to as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Typhoon. The state-sponsored threat actor is believed to have been active since at least 2012.
TONESHELL was first publicly documented by Trend Micro way back in November 2022 as part of cyber attacks targeting Myanmar, Australia, the Philippines, Japan, and Taiwan between May and October. Typically executed via DLL side-loading, its primary responsibility is to download next-stage payloads on the infected host.
Typical attack chains involve the use of spear-phishing emails to drop malware families like PUBLOAD or TONESHELL. PUBLOAD, which also functions similarly to TONESHELL, is also capable of downloading shellcode payloads via HTTP POST requests from a command-and-control (C2) server.
The newly identified TONESHELL variants, named TONESHELL8 and TONESHELL9 by IBM X-Force, support C2 communication through locally configured proxy servers to blend in with enterprise network traffic and facilitate two active reverse shells in parallel. It also incorporates junk code copied from OpenAI’s ChatGPT website within the malware’s functions to evade static detection and resist analysis.
Also launched using DLL side-loading is a new USB worm called SnakeDisk that shares overlaps with TONEDISK (aka WispRider), another USB worm framework under the TONESHELL family. It’s mainly used to detect new and existing USB devices connected to the host, using it as a means of propagation.
Specifically, it moves the existing files on the USB into a new sub-directory, effectively tricking the victim to click on the malicious payload on a new machine by setting its name to the volume name of the USB device, or “USB.exe.” Once the malware is launched, the files are copied back to their original location.
A notable aspect of the malware is that it’s geofenced to execute only on public IP addresses geolocated to Thailand. SnakeDisk also serves as a conduit to drop Yokai, a backdoor that sets up a reverse shell to execute arbitrary commands. It was previously detailed by Netskope in December 2024 in intrusions targeting Thai officials.
“Yokai shows overlaps with other backdoor families attributed to Hive0154, such as PUBLOAD/PUBSHELL and TONESHELL,” IBM said. “Although those families are clearly separate pieces of malware, they roughly follow the same structure and use similar techniques to establish a…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
