Threat Research

Toneshell Backdoor Exploited to Target Participants of the IISS Defence Summit

Securonix

The ToneShell backdoor, linked to Mustang Panda, targets government organizations in Southeast and East Asia for cyber espionage, with a recent campaign aimed at attendees of the IISS Defence Summit in Prague. It uses decoy documents and PIF droppers to deliver malware, establish persistence via registry keys and scheduled tasks, and communicates with a C2 hosted by Topway Global Limited.
#ToneShell #MustangPanda

Keypoints

  • ToneShell backdoor is linked to Mustang Panda, targeting government entities for espionage.
  • The campaign resurfaced in the context of the IISS Defence Summit in Prague (2024).
  • Decoy documents mimic legitimate summit agendas to lure targets.
  • The malware uses PIF files as droppers and drops SFFWallpaperCore.exe and libemb.dll during execution.
  • Persistence is established via a registry Run key and a scheduled task.
  • C2 infrastructure is tied to Topway Global Limited in Hong Kong, with TLS-like traffic over common ports and notable certificates.

MITRE Techniques

  • [T1059] Command-Line Interface – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1053] Scheduled Task/Job – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1060] Registry Run Keys / Startup Folder – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1071] Application Layer Protocol – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)

Indicators of Compromise

  • [IP Address] C2 / infrastructure indicators – 103.27.108.14, 103.27.109.52, and 6 other items
  • [SHA-256 Hash] File hashes – 1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34, 057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d, and 6 other items
  • [File Name] Lure / dropper files – IISS Prague Defence Summit 2024.zip, Annex 1 – IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024).pif, and 1 other item
  • [File Name] Decoy PDF – Annex 2 – IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024) – Copy.pdf, and 1 other item
  • [Certificate Common Name] TLS/RDP certificate – WIN-USLKI5BA743, and other items

Read more: https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint