- Mustang Panda uses updated Tonshell tailgate to attack Asian government agencies
- Newer variants use signed minifilter drivers that enable covert operations against rootkits and defender tampering.
- Kaspersky Lab recommends performing memory forensics and COI to detect infections on compromised systems
A Chinese state-backed attacker known as Mustang Panda was discovered using an updated version of the Tonshell backdoor to attack government agencies across Asia.
This is according to cybersecurity researcher Kaspersky, who recently analyzed malicious file drivers found on computers belonging to government agencies in countries such as Myanmar and Thailand.
This driver led to the discovery of Tonshell, a backdoor that gives attackers permanent access to infected devices, allowing them to upload and download files, create new documents, and more.
Minifilter and kernel mode driver
Kaspersky said the new version includes improvements such as creating remote shells via pipes, logging out of shells, canceling downloads, ending connections, and creating temporary files for incoming data.
Tonshell is commonly used for online spying. The victims’ computers appeared to be infected with other malware, including the PlugX and ToneDisk USB worms. Researchers hope the mission can launch in February 2025.
But what is different about this campaign is the use of minifilter drivers signed with stolen or leaked certificates.
“For the first time, we see Tornado being distributed via a kernel-mode loader, taking advantage of the capabilities of the rootkit driver to protect it from user-mode surveillance and hide its activity from being discovered by security tools,” Kaspersky said.
Minifilters are kernel-mode drivers that reside in the Windows file system stack and intercept file system operations in real time. It allows programs to view, block, modify, or log file activity before accessing the disk and is part of the Microsoft File System Filter Manager platform.
Additionally, the attacker modified Microsoft Defender to prevent it from being loaded into the I/O stack.
Researchers recommend forensic memory as the most important method for detecting tonsillitis infections and preventing new attacks. We also share a list of indicators of compromise (IoC) that can be used to determine if a system is compromised.
When using children’s computer
