"The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk. "The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor," IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week. The tech giant's cybersecurity division is tracking the cluster under"
"The newly identified TONESHELL variants, named TONESHELL8 and TONESHELL9 by IBM X-Force, support C2 communication through locally configured proxy servers to blend in with enterprise network traffic and facilitate two active reverse shells in parallel. It also incorporates junk code copied from OpenAI's ChatGPT website within the malware's functions to evade static detection and resist analysis. Also launched using DLL side-loading is a new USB worm called SnakeDisk that shares overlaps with TONEDISK (aka WispRider), another USB worm framework under the TONESHELL family."
Mustang Panda uses updated TONESHELL backdoor variants and a previously undocumented USB worm named SnakeDisk. SnakeDisk executes only on devices with Thailand-based IP addresses and drops the Yokai backdoor. IBM X-Force tracks the cluster as Hive0154, also known by aliases including BASIN, Bronze President, Camaro Dragon, and others, and attributes activity to a state-sponsored actor active since at least 2012. Attack chains commonly use spear-phishing to deliver DLL side-loaded loaders like PUBLOAD and TONESHELL that download next-stage payloads. New TONESHELL8/9 support C2 via local proxies, run two parallel reverse shells, and include junk code copied from the ChatGPT website for evasion. SnakeDisk overlaps TONEDISK/WispRider and detects connected USB devices to propagate.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]