Intezer researchers have analyzed a new variant of ToneShell backdoor linked to Mustang Panda, showing enhanced anti-analysis features while targeting Myanmar. The malware’s evolution reflects ongoing cyber espionage rooted in geopolitical interests by China. #MustangPanda #ToneShell
Keypoints
- The new ToneShell variant employs anti-analysis tactics like file churn, random delays, and junk arithmetic to evade detection.
- It is delivered via ZIP archives disguised as documents related to Myanmar’s revolutionary forces.
- The malware maintains persistence through scheduled tasks and copying itself into the AppData directory.
- Connections to its command-and-control server are obfuscated using TLS-like headers and XOR schemes.
- Mustang Panda continues refining their operations, emphasizing geopolitical influence through cyber espionage in Myanmar.