The China-aligned menace actor often called Mustang Panda has been noticed utilizing an up to date model of a backdoor referred to as TONESHELL and a beforehand undocumented USB worm referred to as SnakeDisk.
“The worm solely executes on gadgets with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Drive researchers Golo Mühr and Joshua Chung stated in an evaluation revealed final week.
The tech large’s cybersecurity division is monitoring the cluster below the title Hive0154, which can be broadly known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Storm. The state-sponsored menace actor is believed to have been energetic since at the very least 2012.
TONESHELL was first publicly documented by Pattern Micro manner again in November 2022 as a part of cyber assaults concentrating on Myanmar, Australia, the Philippines, Japan, and Taiwan between Might and October. Sometimes executed through DLL side-loading, its main duty is to obtain next-stage payloads on the contaminated host.
Typical assault chains contain using spear-phishing emails to drop malware households like PUBLOAD or TONESHELL. PUBLOAD, which additionally features equally to TONESHELL, can be able to downloading shellcode payloads through HTTP POST requests from a command-and-control (C2) server.
The newly recognized TONESHELL variants, named TONESHELL8 and TONESHELL9 by IBM X-Drive, assist C2 communication by means of regionally configured proxy servers to mix in with enterprise community visitors and facilitate two energetic reverse shells in parallel. It additionally incorporates junk code copied from OpenAI’s ChatGPT web site throughout the malware’s features to evade static detection and resist evaluation.
Additionally launched utilizing DLL side-loading is a brand new USB worm referred to as SnakeDisk that shares overlaps with TONEDISK (aka WispRider), one other USB worm framework below the TONESHELL household. It is primarily used to detect new and present USB gadgets linked to the host, utilizing it as a method of propagation.
Particularly, it strikes the prevailing information on the USB into a brand new sub-directory, successfully tricking the sufferer to click on on the malicious payload on a brand new machine by setting its title to the quantity title of the USB system, or “USB.exe.” As soon as the malware is launched, the information are copied again to their authentic location.
A notable facet of the malware is that it is geofenced to execute solely on public IP addresses geolocated to Thailand. SnakeDisk additionally serves as a conduit to drop Yokai, a backdoor that units up a reverse shell to execute arbitrary instructions. It was beforehand detailed by Netskope in December 2024 in intrusions concentrating on Thai officers.
“Yokai exhibits overlaps with different backdoor households attributed to Hive0154, resembling PUBLOAD/PUBSHELL and TONESHELL,” IBM stated. “Though these households are clearly separate items of malware, they roughly observe the identical construction and use related strategies to ascertain a reverse shell with their C2 server.”
The usage of SnakeDisk and Yokai doubtless factors to a sub-group inside Mustang Panda that is hyper-focused on Thailand, whereas additionally underscoring the continued evolution and refinement of the menace actor’s arsenal.
“Hive0154 stays a extremely succesful menace actor with a number of energetic subclusters and frequent growth cycles,” the corporate concluded. “This group seems to take care of a significantly massive malware ecosystem with frequent overlaps in each malicious code, strategies used throughout assaults, in addition to concentrating on.”
