A new wave of cyberattacks has emerged using the Tuoni Command and Control (C2) framework, a sophisticated tool that allows threat actors to deploy malicious payloads directly into system memory.
This technique helps attackers avoid detection by traditional security solutions that rely on scanning files stored on disk.
The Tuoni framework has gained attention in the cybersecurity community for its modular design and ability to support multiple attack scenarios without leaving significant traces on compromised systems.
The attack typically begins with phishing emails or compromised websites that deliver the initial payload. Once executed, the malware establishes a connection to the attacker’s C2 server and waits for further instructions.
What makes Tuoni particularly dangerous is its use of in-memory execution, meaning the malicious code runs entirely within the computer’s RAM without writing files to the hard drive.
This approach significantly reduces the chances of detection by antivirus software and endpoint protection tools.
Morphisec security researchers identified the threat during routine monitoring of suspicious network activities. Their analysis revealed that attackers were using Tuoni to deliver secondary payloads including credential stealers, ransomware, and remote access trojans.
The framework supports various communication protocols and can blend its traffic with legitimate network activity, making it challenging for security teams to identify compromised machines.
Technical Analysis of Tuoni’s In-Memory Execution
The Tuoni framework employs several advanced techniques to maintain stealth while operating on infected systems. At its core, the malware uses process injection to insert its code into legitimate Windows processes such as svchost.exe or explorer.exe.
.webp "Hackers Using Leverage Tuoni C2 Framework Tool to Stealthly Deliver In-Memory Payloads 3")
This is achieved through API calls like VirtualAllocEx and WriteProcessMemory, which allocate memory space within the target process and write the malicious payload into that space.
LPVOID addr = VirtualAllocEx(hProcess, NULL, payloadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, addr, payload, payloadSize, NULL);
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)addr, NULL, 0, NULL);The framework also implements encryption for its network communications, using AES-256 to encode data transmitted between the infected host and the C2 server.
This prevents network monitoring tools from inspecting the content of commands and stolen data. Organizations should implement memory scanning capabilities and monitor for unusual process behaviors to detect Tuoni infections effectively.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
