Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

Sept. 5, 2024, 4:47 p.m.

Description

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The malware establishes persistence through registry run keys and scheduled tasks, communicating with a C2 server in Hong Kong using raw TCP mimicking TLS. The campaign highlights the intersection of cyber espionage and international strategy, aiming to infiltrate sensitive defense discussions. Analysis revealed connections to previously reported APT-Q-27 activities and potential links to other infrastructure through shared RDP certificates.

External References

https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit
https://otx.alienvault.com/pulse/66d9d7dcbaa65410febe8135
Tags
phishing
dll sideloading
gh0st rat
2024-09-05
toneshell
pif file

Date

  • Created: Sept. 5, 2024, 4:10 p.m.
  • Published: Sept. 5, 2024, 4:10 p.m.
  • Modified: Sept. 5, 2024, 4:47 p.m.

Indicators

  • f8e130e5cbbc4fb85d1b41e1c5bb2d7a6d0511ff3b224eb3076a175e69909b0d
  • 901d713d4d12afbcee5e33603459ebc638afd6b4e2b13c72480c90313b796a66
  • 1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34
  • 057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d
Download all indicators here!

Attack Patterns

  • Moudoor
  • Mydoor
  • gh0st RAT - S0032
  • ToneShell
  • Mustang Panda
  • T1036.002
  • T1053.005
  • T1573.001
  • T1574.002
  • T1547.001
  • T1071.001
  • T1204.002
  • T1140
  • T1027
  • T1059

Additional Informations

  • Defense
  • Government
  • Hong Kong