ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

The group is known for its cyber espionage activities targeting government organizations, primarily in Southeast and East Asia. This recent campaign, however, focuses on attendees of the upcoming International Institute for Strategic Studies (IISS) Defence Summit

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 3, 2024Hunt.io released a blog post detailing the resurgence of the ToneShell backdoor, likely deployed by Mustang Panda, also known as Stately Taurus Earth Preta, among other aliases. The group is known for its cyber espionage activities targeting government organizations, primarily in Southeast and East Asia. This recent campaign, however, focuses on attendees of the upcoming International Institute for Strategic Studies (IISS) Defence Summit, set to take place in Prague from November 8-10, 2024. The summit, which will host discussions on defence, security, and emerging threats, is a prime target for espionage due to the involvement of high-level officials and sensitive topics.

Report Overview

The IISS Defence Summit mirrors high-profile events like the Shangri-La and Manama Dialogues. It draws senior defence ministers, policymakers, and industry leaders from Europe and allied nations. Infiltrating such events offers adversaries valuable intelligence on global defence strategies and the geopolitical stances of major world powers. Mustang Panda's interest in these discussions aligns with their long-standing goal of gaining strategic insights into military operations and defence policies.

During routine monitoring on Hatching Triage, analysts discovered a suspicious executable file, "IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024).exe," uploaded on August 16, 2024. Further investigation revealed this file exhibited behaviour consistent with previous ToneShell campaigns.

The executable masqueraded as a legitimate file related to the summit, likely designed to lure its targets into downloading and executing the malware. Upon running the file, the malware immediately communicated with a command-and-control (C2) server, sending network traffic containing magic bytes "17 03 03," a ToneShell and PubLoad activity hallmark.

The attack utilized a PIF file (Program Information File), often seen as a shortcut for MS-DOS programs but repurposed by threat actors to deliver malicious payloads. In this instance, the PIF file dropped two main components, SFFWallpaperCore.exe and libemb.dll, facilitating further system infection. The PIF file was also signed with a code signing certificate from "Hefei Nora Network Technology Co." to avoid detection. However, this certificate was ultimately flagged as untrusted by analysis tools.

Following the payload's execution, persistence was established via a scheduled task and a registry run key. The registry key commanded Windows to run the malicious executable every six minutes, ensuring continuous infection after rebooting.

Insights and Analysis

This campaign targets attendees of a high-level defence summit, likely aiming to collect intelligence on defence policies and military strategies. Such insights could give threat actors an edge in understanding how global powers plan to navigate ongoing geopolitical tensions, including the Russia-Ukraine war and growing concerns in the South China Sea. The ramifications extend beyond the immediate targets, potentially influencing future diplomatic and military engagements worldwide.

While the exact objectives of the attack remain unclear, the evidence points to a highly coordinated effort to infiltrate sensitive discussions at the IISS Defence Summit. Experts believe that the attack's use of decoy documents—in this case, a legitimate agenda for the summit—reduces suspicion while the malware silently exfiltrates data.

The command and control (C2) server identified in this campaign, hosted on Topway Global Limited's ASN in Hong Kong, communicated using common ports such as 80, 443, and 3389. Notably, the server also displayed a self-signed RDP certificate on August 25, 2021, potentially used for tracking the infrastructure's historical activity. However, the IP had yet to be flagged as malicious by any security vendors, underscoring the stealth and sophistication of Mustang Panda's operations.

Organizations should enforce phishing awareness training to mitigate the risk posed by attacks like this, encouraging users to verify email senders and attachments, particularly during high-profile events. Deploying

Endpoint Detection and Response (EDR) solutions to monitor and block malicious execution patterns can provide additional protection. Regular updates to threat intelligence databases and proactive hunting for indicators of compromise (IOCs) related to Mustang Panda's activity will prevent further infections.

As cyber espionage campaigns grow more advanced, organizations must remain vigilant, particularly when hosting or attending sensitive discussions on defence and security. The targeting of the IISS Defence Summit is a reminder of the persistent and evolving nature of state-sponsored threat actors like Mustang Panda. Maintaining strong cybersecurity practices and staying informed about ongoing threats can help mitigate potential damage from such sophisticated attacks.

Indicators of Compromise (IOCs)

IndicatorTypeDescription
103.27.108.14IP AddressCommand and Control (C2) server IP associated with Topway Global Limited
IISS Prague Defence Summit 2024.zipFileZIP archive used as a lure document
Annex 1 - IISS PRAGUE DEFENCE.pifFileMalicious PIF file that drops ToneShell backdoor
SFFWallpaperCore.exeFileMalicious executable dropped by PIF file
libemb.dllFileDLL file used in the infection chain

MITRE ATT&CK TTPs

TacticTechniqueIDDescription
Initial AccessSpearphishing AttachmentT1566.001The attackers delivered a ZIP file containing a PIF to execute malware.
ExecutionUser ExecutionT1204.002Users are lured into opening the ZIP file containing a malicious PIF.
Defense EvasionCode SigningT1116The malicious file is signed with a certificate to evade detection.
PersistenceScheduled Task/JobT1053.005Malware establishes persistence by creating a scheduled task.
Command and ControlApplication Layer ProtocolT1071.001The malware communicates with its C2 using raw TCP traffic mimicking TLS.

References

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit
Learn how the ToneShell backdoor was used to target attendees of the upcoming IISS Defence Summit.