Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

Sept. 5, 2024, 4:47 p.m.

Description

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The malware establishes persistence through registry run keys and scheduled tasks, communicating with a C2 server in Hong Kong using raw TCP mimicking TLS. The campaign highlights the intersection of cyber espionage and international strategy, aiming to infiltrate sensitive defense discussions. Analysis revealed connections to previously reported APT-Q-27 activities and potential links to other infrastructure through shared RDP certificates.

Date

Published: Sept. 5, 2024, 4:10 p.m.

Created: Sept. 5, 2024, 4:10 p.m.

Modified: Sept. 5, 2024, 4:47 p.m.

Indicators

f8e130e5cbbc4fb85d1b41e1c5bb2d7a6d0511ff3b224eb3076a175e69909b0d

901d713d4d12afbcee5e33603459ebc638afd6b4e2b13c72480c90313b796a66

1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34

057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d

Attack Patterns

Moudoor

Mydoor

gh0st RAT - S0032

ToneShell

Mustang Panda

T1036.002

T1053.005

T1573.001

T1574.002

T1547.001

T1071.001

T1204.002

T1140

T1027

T1059

Additional Informations

Defense

Government

Hong Kong