Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit
Sept. 5, 2024, 4:47 p.m.
Description
A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The malware establishes persistence through registry run keys and scheduled tasks, communicating with a C2 server in Hong Kong using raw TCP mimicking TLS. The campaign highlights the intersection of cyber espionage and international strategy, aiming to infiltrate sensitive defense discussions. Analysis revealed connections to previously reported APT-Q-27 activities and potential links to other infrastructure through shared RDP certificates.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 5, 2024, 4:10 p.m. | Sept. 5, 2024, 4:10 p.m. | Sept. 5, 2024, 4:47 p.m. |
Indicators
f8e130e5cbbc4fb85d1b41e1c5bb2d7a6d0511ff3b224eb3076a175e69909b0d
901d713d4d12afbcee5e33603459ebc638afd6b4e2b13c72480c90313b796a66
1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34
057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d
Attack Patterns
Moudoor
Mydoor
gh0st RAT - S0032
ToneShell
Mustang Panda
T1036.002
T1053.005
T1573.001
T1574.002
T1547.001
T1071.001
T1204.002
T1140
T1027
T1059
Additional Informations
Defense
Government
Hong Kong