ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta, among other monikers), has been consistently deployed against government organizations, mainly in Southeast and East Asia, for cyber espionage.

Recently, this malware has resurfaced, likely targeting attendees of the 2024 International Institute for Strategic Studies (IISS) Defence Summit in Prague.

This campaign illustrates how cyber espionage and international strategy often intertwine as nations seek to infiltrate sensitive security and defense discussions to gain a strategic edge amid global conflicts, from the Russia-Ukraine war to rising tensions in the South China Sea.

While combing through files on Hatching Triage, one name stood out, prompting us to investigate further and share our findings in this article.

This blog post will explore our findings, including the malware's execution techniques, capabilities, and the command and control (C2) infrastructure that facilitates its operations.

The IISS Defence Summit: An Attractive Target for Cyber Espionage

The IISS Prague Defence Summit, scheduled for November 8-10, 2024, is a new event modeled after the successful Shangri-La and Manama Dialogues. The summit is poised to become a central forum for discussing defense and security within the Euro-Atlantic region.

Attendees include senior political leaders, defense ministers, policymakers, and industry executives from Europe, the United States, and allied nations. Discussions include defense capacity-building, strategic stability, and emerging threats.

This summit is a prime target for cyber espionage due to the participation of high-level officials discussing sensitive issues like military strategy, defense cooperation, and responses to geopolitical tensions. Accessing these discussions offers adversaries a strategic edge by exposing major global players' defense plans and policies.

File Discovery In Triage & ANY.RUN

During routine analysis on Hatching Triage, we discovered an executable file, "IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024 ).exe,” uploaded on 16 August. Given its relevance to an upcoming high-profile event, we decided to investigate further.

To further solidify our suspicions, a review of the PCAP containing network traffic confirmed the malware communicating with its C2 server using the familiar magic bytes 17 03 03.

These bytes often appear in posts and reports as indicators of Toneshell and PubLoad activity.
We found the same executable file on ANY.RUN, where it exhibited similar TTPs.

Decoy Document Analysis

Before diving into the malware itself, let’s first examine the decoy PDF used in this attack. Upon extracting the archive, the user is presented with two folders: Annex 1 and Annex 2.

The first folder contains the executable file mentioned above, while the second, contains the document seen in Figure 3 titled “Annex 2 - IISS PRAGUE DEFENCE SUMMIT (8 – 10 November 2024) - Copy.pdf.”

The PDF is an exact copy of a legitimate document available on the IISS official website, with only its name altered. This tactic is designed to reassure the target by displaying a genuine agenda for the summit, reducing suspicion while the malware silently operates in the background.

Uncovering Malware Behavior and Execution

As previously mentioned, the extracted ZIP file reveals two folders. We’ll now turn our attention to the suspicious file that caught our eye.

Inside the Annex 1 folder (Figure 5), we see a file name matching that of what we found in Triage. For the keen-eyed, you may have noticed the file type is "Shortcut to MS-DOS Program," which suggests it is a program information file (PIF).

PIF files are shortcuts designed to provide metadata like a config file for MS-DOS programs. However, threat actors can use them as an alternative to .exe files to execute malicious code.

The PIF file acts as a dropper, which we’ll soon see, and is signed by the “Hefei Nora Network Technology Co.” A screenshot of the code signing certificate is below.

Analyzing the file in VirusTotal reveals the PIF-file has two aliases: fhbemb.exe and SFFWallpaperCore.exe.

This file also contains a PDB path of:

G:\CLIENT\fhbemb\src\bin\Release_NL\fhbemb.pdb

In our research, we were unable to locate information suggesting either of the above file names (fhbemb.exe and SFFWallpaperCore.exe) are legitimate Windows programs.

An April 2024 blog post by secrss uncovered a suspected APT-Q-27 (aka Golden Eye Dog, Dragon Breath) operation that also used ‘fhbemb.exe’ to side load ‘libemb.dll’ to execute a modified version of Gh0st RAT.

Sophos has also previously reported similar DLL sideloading techniques by this group.

Figure 7 illustrates the malware execution flow as detailed in the Secrss post.

Returning to the malicious PIF, upon execution, it checks for the presence of the FFWallpaperCore directory in C:\ProgramData. If the directory is absent, it drops SFFWallpaperCore.exe and libemb.dll, likely to verify whether the system has already been compromised.

Persistence is established by adding a registry run key and creating a scheduled task.

• Registry run key:

cmd.exe /C schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"

• Creation of scheduled task

schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"

The overall execution flow (Figure 8) follows a rather standard pattern commonly seen in malware operations.

libemb.dll, written in C++, is signed by the same company as the EXE, but, as shown in Figure 9, the certificate is not trusted.

The DLL contains unique debug strings, which have become a hallmark of Mustang Panda malware. Within the file, we found two references to Twitter/X accounts: @Rainmaker1973 and @techyteachme, the latter belonging to Zack Allen, who also runs a great Detection Engineering newsletter if you’re interested.

A network connection is established with the C2 server at 103.27.108.]14 on port 443. The traffic uses raw TCP but mimics TLS to evade detection.

This approach has been observed in multiple reports on Mustang Panda activity, specifically linked to ToneShell and Pubload malware.

Below is a PCAP screenshot from the initial communication with the C2 server.

Network Infrastructure

The command and control server is hosted on Topway Global Limited’s ASN in Hong Kong, with ports 80, 443, and 3389 accessible. Interestingly, the IP briefly presented a self-signed RDP certificate at the start of August, carrying the common name “WIN-USLKI5BA743.”

Using RDP certificates has been a reliable method for tracking Mustang Panda’s infrastructure in the past, but recent variations suggest the threat actors are aware of this detection technique and are adjusting accordingly.

This particular certificate was issued on Wednesday, August 25, 2021, at 03:36:30—a detail that may prove significant in our investigation.

Below is a screenshot from Hunt showing this certificate, along with historical TLS data, to aid in identifying related activity.

With no additional domains or certificates to pivot on, we turn to Hunt's Advanced Search feature to identify servers using the same certificate, focusing specifically on the 'Not Before' date and time.

By applying the query shown in Figure 14, we narrowed the results to just seven servers—suggesting a potential link to the associated infrastructure. Notably, three of these servers were first observed only a few days ago, indicating recent and potentially active use at the time of writing.

IPs sharing the same certificate:

As shown in the table above, nearly all the IP addresses reside on the same ASN as the C2 server, with one exception. Additionally, the proximity of these IPs to each other strengthens our assessment that these servers may be controlled by the same threat actor or group and hosted within a similar or adjacent range to maintain operational control and flexibility.

Notably, the C2 IP has not yet been flagged as malicious by any vendors on VirusTotal.

Final Thoughts

While sandbox runs and dynamic analysis of the malware did not reveal the specific objectives of the threat actors once they gained access to infected systems, we can hypothesize that targeting a defense summit suggests an intent to gather intelligence on sensitive discussions.

To mitigate such threats, Hunt recommends conducting regular phishing awareness exercises for all users, closely verifying email senders and domain names before downloading files, and deploying an endpoint detection and response solution to identify malicious execution patterns.

If you’d like to stay ahead of threats like those uncovered in this post, request a demo today to see how our tools can enhance your defenses.

Network Observables

Host Observables