The China-aligned risk actor often called Mustang Panda has been noticed utilizing an up to date model of a backdoor referred to as TONESHELL and a beforehand undocumented USB worm referred to as SnakeDisk.
“The worm solely executes on units with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Drive researchers Golo Mühr and Joshua Chung mentioned in an evaluation revealed final week.
The tech big’s cybersecurity division is monitoring the cluster underneath the identify Hive0154, which can be broadly known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Polaris, RedDelta, Stately Taurus, and Twill Hurricane. The state-sponsored risk actor is believed to have been energetic since no less than 2012.
TONESHELL was first publicly documented by Development Micro means again in November 2022 as a part of cyber assaults concentrating on Myanmar, Australia, the Philippines, Japan, and Taiwan between Might and October. Usually executed through DLL side-loading, its major duty is to obtain next-stage payloads on the contaminated host.
Typical assault chains contain using spear-phishing emails to drop malware households like PUBLOAD or TONESHELL. PUBLOAD, which additionally features equally to TONESHELL, can be able to downloading shellcode payloads through HTTP POST requests from a command-and-control (C2) server.
The newly recognized TONESHELL variants, named TONESHELL8 and TONESHELL9 by IBM X-Drive, assist C2 communication by domestically configured proxy servers to mix in with enterprise community site visitors and facilitate two energetic reverse shells in parallel. It additionally incorporates junk code copied from OpenAI’s ChatGPT web site inside the malware’s features to evade static detection and resist evaluation.
Additionally launched utilizing DLL side-loading is a brand new USB worm referred to as SnakeDisk that shares overlaps with TONEDISK (aka WispRider), one other USB worm framework underneath the TONESHELL household. It is primarily used to detect new and present USB units related to the host, utilizing it as a method of propagation.
Particularly, it strikes the present information on the USB into a brand new sub-directory, successfully tricking the sufferer to click on on the malicious payload on a brand new machine by setting its identify to the quantity identify of the USB gadget, or “USB.exe.” As soon as the malware is launched, the information are copied again to their unique location.
A notable facet of the malware is that it is geofenced to execute solely on public IP addresses geolocated to Thailand. SnakeDisk additionally serves as a conduit to drop Yokai, a backdoor that units up a reverse shell to execute arbitrary instructions. It was beforehand detailed by Netskope in December 2024 in intrusions concentrating on Thai officers.
“Yokai reveals overlaps with different backdoor households attributed to Hive0154, similar to PUBLOAD/PUBSHELL and TONESHELL,” IBM mentioned. “Though these households are clearly separate items of malware, they roughly observe the identical construction and use comparable methods to ascertain a reverse shell with their C2 server.”
Using SnakeDisk and Yokai doubtless factors to a sub-group inside Mustang Panda that is hyper-focused on Thailand, whereas additionally underscoring the continued evolution and refinement of the risk actor’s arsenal.
“Hive0154 stays a extremely succesful risk actor with a number of energetic subclusters and frequent improvement cycles,” the corporate concluded. “This group seems to keep up a significantly massive malware ecosystem with frequent overlaps in each malicious code, methods used throughout assaults, in addition to concentrating on.”
