The China-aligned threat actor known as Mustang Panda has been observed using a new, updated version of a backdoor called TONESHELL and a previously undocumented USB worm known as SnakeDisk. These new tools point to the group's continued evolution and its focus on specific regional targets.
New Malware and Evasion Tactics
According to researchers at IBM X-Force, the new SnakeDisk USB worm is geofenced to only execute on devices with a Thai IP address. It works by moving all existing files on a USB drive into a new subdirectory and then dropping a malicious file with a name that makes it look like the original USB device. This tricks the user into running the malware, which then drops another backdoor called Yokai.
In addition to the new USB worm, Mustang Panda is also using updated variants of its TONESHELL backdoor. The new versions, named TONESHELL8 and TONESHELL9, are designed to blend in with normal network traffic by using locally configured proxy servers for communication with their command-and-control server. The malware also includes "junk code" copied from OpenAI's ChatGPT website to help it evade static detection and resist analysis by security tools.
A Focused and Evolving Threat
The use of a geofenced tool like SnakeDisk suggests that a sub-group within the larger Mustang Panda operation is hyper-focused on targeting Thailand. This group, also tracked under various names like Hive0154, remains a highly capable threat actor with a considerably large malware ecosystem and frequent development cycles. Their tools often have overlaps in code and techniques, showing that they are constantly being refined and improved to carry out new attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
