It has been observed that the Chinese threat actor known as the Mustang Pandas have called updated versions of the backdoor called Toneshell and previously undocumented USB worms Snakedisk.
“The worm runs only on devices with IP addresses based in Thailand and drops yokai backdoors,” IBM X-Force researchers GoloMühr and Joshua Chung said in an analysis published last week.
Tech Giant’s cybersecurity department tracks the cluster under the name hive0154. It is also widely known as the Basin, Bronze President, Camaro Dragon, Earth Preta, Honey Mite, Polaris, Red Delta, Red Delta and Truille-Y-June. The state-sponsored threat actor is believed to have been active since at least 2012.
Toneshel was first published by Trend Microway in November 2022 as part of a cyberattack targeting Myanmar, Australia, the Philippines, Japan and Taiwan between May and October. The main responsibility typically performed via DLL sideloads is to download the next stage payload to the infected host.
A typical attack chain involves the use of spear phishing emails to drop malware families such as Pubload and Toneshell. Working similar to Toneshell, Pubload can also download shellcode payloads via HTTP POST requests from a command and control (C2) server.
The newly identified toneshell variations by IBM X-Force, named Toneshell 8 and Toneshell 9, support C2 communications through locally configured proxy servers, fuse with enterprise network traffic and promote two active reverse shells in parallel. Additionally, to avoid static detection and resistance analysis, junk code copied from Openai’s ChatGPT website is built into Malware’s functionality.
Also, booted using DLL sideload is a new USB worm called Snakedisk, which overlaps with Tonedisk (aka Wisprider). This is another USB worm framework under the Toneshell family. It mainly detects new and existing USB devices connected to the host and uses them as a means of propagation.
Specifically, click on the malicious payload of the new machine by moving existing files on the USB to a new subdirectory and effectively tricking the victim into setting the name to the volume name or “USB.Exe” of the USB device. When the malware starts, the files are copied to their original location.
A notable aspect of malware is that it is geophilic to run only on public IP addresses geolocated in Thailand. Snakedisk also functions as a conduit for dropping Yokai. This is a backdoor that sets up a reverse shell to run any command. This was an invasion targeting Thai officials, which was previously detailed by Netskope in December 2024.
“Yokai shows overlap with other backdoor families due to HIVE0154, such as Pubload/Pubshell and Toneshell,” IBM said. “These families are obviously separate parts of the malware, but they follow roughly the same structure and use similar techniques to establish a reverse shell on a C2 server.”
The use of Snaikd and Yokai refers to the overly focused subgroups within Mustang Panda in Thailand, while also highlighting the continued evolution and refinement of the arsenal of threat actors.
“HIVE0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles,” the company concluded. “This group appears to maintain a rather large malware ecosystem that frequently overlaps both malicious code, techniques used during attacks, and targeting.”
Source link
