Threat Management, Threat Intelligence, Ransomware, Malware

Mustang Panda’s updated ToneShell backdoor deployed via kernel-mode rootkit

Malware

Attacks leveraging a kernel-mode rootkit to spread a new variant of the ToneShell malware have been launched by Chinese advanced persistent threat group Mustang Panda, also known as Bronze President or HoneyMyte, against government entities across Southeast Asia and East Asia, particularly Thailand and Myanmar, since February, according to BleepingComputer.

Mustang Panda tapped the "ProjectConfiguration.sys" mini-filter driver with a stolen or leaked certificate given to Guangzhou Kingteller Technology Co., Ltd. to facilitate the distribution of the updated ToneShell backdoor, while bypassing static analysis tools, a report from Kaspersky revealed.

Aside from featuring a novel 4-byte host ID market-based host identification scheme and bogus TLS headers for network traffic obfuscation, the new ToneShell variant also enables temporary file creation for incoming data, file downloads, and remote shell creation and termination.

"This is the first time we've seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools," said Kaspersky researchers.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds