Recently, a new variant of the ToneShell backdoor has been linked to Chinese cyberespionage efforts. This malware has been spotted mainly in attacks against government bodies in countries like Myanmar and Thailand.
The Mustang Panda group, also known as HoneyMyte, is behind this backdoor. They often target government agencies and NGOs, reflecting a broader trend in state-sponsored hacking aimed at critical infrastructures worldwide.
Kaspersky’s research indicates that the malware was delivered through a newly discovered kernel-mode loader named ProjectConfiguration.sys. This particular driver was signed with a stolen certificate, adding an extra layer of deception.
Kernel-mode drivers operate at a higher level than regular applications, allowing them to control file operations and bypass many security measures. The driver can hide its presence and prevent antivirus software from detecting it by modifying system configurations.
One striking feature of this ToneShell variant is its ability to evade security tools. It achieves this by resolving necessary kernel APIs at runtime, rather than directly importing them, making it harder to analyze and detect.
According to Kaspersky, this represents a significant evolution in the group’s tactics. “We’ve never seen ToneShell delivered through a kernel-mode loader before, enhancing its stealth and significance,” they noted.
The malware can perform multiple remote operations, such as creating temporary files, downloading and uploading data, and establishing remote shells for further command execution. These upgrades make the malware more powerful and challenging to combat.
Interestingly, a recent survey indicates that 70% of organizations feel unprepared to deal with advanced threats like this one. This statistic highlights the importance of proactive security measures. To combat such evolving threats, organizations must invest in memory forensics, a technique deemed crucial in uncovering infections like ToneShell.
As the Mustang Panda group continues to adapt, cybersecurity researchers stress the need for constant vigilance. Understanding these tactics is key to building robust defenses against state-sponsored cyber threats.
For more detailed insights on cybersecurity tactics, you can reference Kaspersky’s report here.
