The latest ToneShell variant introduces a notable advancement in its persistence strategy by leveraging the Windows Task Scheduler COM service.
This lightweight backdoor, traditionally delivered through DLL sideloading techniques, now incorporates enhanced persistence mechanisms and sophisticated anti-analysis capabilities that pose significant challenges to security teams.
Cybersecurity researchers have identified a new variant of the ToneShell backdoor, demonstrating the continued evolution of the China-nexus Mustang Panda group’s arsenal.
Unlike previous versions that relied solely on traditional persistence methods, this variant establishes a scheduled task named “dokanctl” that executes every minute from a randomly named folder within the user’s AppData directory.
The backdoor’s installation process begins with a comprehensive validation routine. It first checks whether it’s running from a Google Drive synchronization path, likely an anti-infection measure to prevent the threat actors from compromising their own systems.
If this check passes, the malware enforces a single-instance policy using the mutex “GlobalSingleCorporation12AD8B” before proceeding with its installation sequence.
Once operational prerequisites are met, the backdoor copies itself along with supporting DLL files (msvcr100.dll, msvcp100.dll, mfc100.dll) to a newly created directory with a six-character random uppercase name.
The Task Scheduler COM service integration then creates a persistent execution mechanism, setting the task to run %APPDATA%
Sophisticated Anti-Analysis Arsenal
This ToneShell variant demonstrates significant advancement in evasion techniques, implementing multiple layers of anti-analysis and anti-sandboxing mechanisms.
The malware employs repeated file operations that create, write, close, and delete temporary files in loops with 100-millisecond delays, effectively burning execution time and stressing filesystem emulation in automated analysis environments.
The timing-based evasion techniques include randomized sleep loops that introduce delays ranging from 800 milliseconds to over one second per iteration, accumulating more than 20 seconds of startup delay.
Additionally, the malware uses GetTickCount64() combined with jittered sleeps, waiting until at least 10 seconds of wall-clock time has elapsed to ensure that emulators without realistic clock advancement capabilities become stuck.
Perhaps most notably, the variant incorporates large embedded string buffers containing text copied from OpenAI blog on image generation and Pega AI’s website.
These strings serve no functional purpose beyond inflating the binary size and providing meaningless content for obfuscated string comparisons that consume processing cycles without affecting core logic.
The malware maintains communication with its command-and-control server at 146.70.29[.]229:443 using a TLS-like protocol wrapper designed to blend with legitimate network traffic.
Each packet begins with fixed bytes “17 03 03” (TLS 1.2 Application Data) followed by a two-byte length field, though only the low byte is processed, effectively limiting payloads to 255 bytes.
The communication protocol employs XOR encoding with a 256-byte rolling key for payload obfuscation. After the TLS-like header is stripped, the decoded payload structure consists of a type/status field, an additional code byte, and the message body.
This approach maintains the communication framework established in previous ToneShell variants while incorporating the updated features.
The backdoor continues to generate unique machine identifiers through GUID creation, attempting to read existing identifiers from “C:ProgramDataSystemRuntimeLag.inc” before generating new ones using CoCreateGuid or falling back to an internal linear congruential generator when necessary.
The continued targeting of Myanmar by Mustang Panda through this ToneShell variant reflects broader Chinese geopolitical interests in the region.
The malware was distributed through archives with Burmese filenames, specifically “TNLA နှင့် အခြားတော်လှန်ရေးအင်အားစုမျာ” (TNLA and other revolutionary forces), indicating sustained focus on Myanmar’s political and security landscape.
This persistent targeting underscores how cyber operations serve as tools for maintaining influence in strategically important neighboring states, particularly in areas involving border security, infrastructure development, and political monitoring.
Mitigations
Security teams should focus on detecting the specific persistence mechanisms employed by this variant, particularly monitoring for the creation of scheduled tasks named “dokanctl” and suspicious activity in AppData directories with six-character random names.
The mutex “GlobalSingleCorporation12AD8B” provides another detection opportunity, along with network communications to the identified command-and-control infrastructure.
The sophisticated anti-analysis techniques employed by this variant highlight the need for advanced dynamic analysis capabilities that can account for extended execution delays and obfuscated control flows.
Organizations should implement behavioral monitoring that can identify the characteristic file operations and timing patterns associated with this malware family.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
