Attacks leveraging a kernel-mode rootkit to spread a new variant of the ToneShell malware have been launched by Chinese advanced persistent threat group Mustang Panda, also known as Bronze President or HoneyMyte, against government entities across Southeast Asia and East Asia, particularly Thailand and Myanmar, since February, according to BleepingComputer.
Mustang Panda tapped the "ProjectConfiguration.sys" mini-filter driver with a stolen or leaked certificate given to Guangzhou Kingteller Technology Co., Ltd. to facilitate the distribution of the updated ToneShell backdoor, while bypassing static analysis tools, a report from Kaspersky revealed.
Aside from featuring a novel 4-byte host ID market-based host identification scheme and bogus TLS headers for network traffic obfuscation, the new ToneShell variant also enables temporary file creation for incoming data, file downloads, and remote shell creation and termination.
"This is the first time we've seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools," said Kaspersky researchers.
Mustang Panda tapped the "ProjectConfiguration.sys" mini-filter driver with a stolen or leaked certificate given to Guangzhou Kingteller Technology Co., Ltd. to facilitate the distribution of the updated ToneShell backdoor, while bypassing static analysis tools, a report from Kaspersky revealed.
Aside from featuring a novel 4-byte host ID market-based host identification scheme and bogus TLS headers for network traffic obfuscation, the new ToneShell variant also enables temporary file creation for incoming data, file downloads, and remote shell creation and termination.
"This is the first time we've seen ToneShell delivered through a kernel-mode loader, giving it protection from user-mode monitoring and benefiting from the rootkit capabilities of the driver that hides its activity from security tools," said Kaspersky researchers.




