TONESHELL

Malware & Tools · TONESHELL

· MalwareS1239 · Zararlı Yazılım

Type

malware

Techniques

Used By

1 groups

Platforms

Windows

Description

TONESHELL is a custom backdoor that has been used since at least Q1 2021.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Zscaler)

Tactic Coverage

stealth (19)discovery (9)command and control (7)execution (6)privilege escalation (5)persistence (4)collection (3)credential access (1)defense impairment (1)

Used By (1 groups)

G0129Mustang PandaTA416, RedDelta

Techniques (43)

T1001.003Protocol or Service Impersonation

command and control

T1010Application Window Discovery

discovery

T1027.001Binary Padding

stealth

T1027.007Dynamic API Resolution

stealth

T1027.012LNK Icon Smuggling

stealth

T1033System Owner/User Discovery

discovery

T1036.004Masquerade Task or Service

References

https://attack.mitre.org/software/S1239 https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1

T1036.005Match Legitimate Resource Name or Location

stealth

T1047Windows Management Instrumentation

execution

T1053.005Scheduled Task

executionpersistence

T1055.001Dynamic-link Library Injection

stealthprivilege escalation

T1056.001Keylogging

collectioncredential access

T1057Process Discovery

discovery

T1059.003Windows Command Shell

execution

T1070.004File Deletion

stealth

T1071.001Web Protocols

command and control

T1082System Information Discovery

discovery

T1087Account Discovery

discovery

T1095Non-Application Layer Protocol

command and control

T1105Ingress Tool Transfer

command and control

T1106Native API

execution

T1113Screen Capture

collection

T1132.002Non-Standard Encoding

command and control

T1134.002Create Process with Token

stealthprivilege escalation

T1140Deobfuscate/Decode Files or Information

stealth

T1205Traffic Signaling

stealthpersistence

T1218.010Regsvr32

stealth

T1218.013Mavinject

stealth

T1480Execution Guardrails

stealth

T1480.001Environmental Keying

stealth

T1480.002Mutual Exclusion

stealth

T1497.002User Activity Based Checks

stealthdiscovery

T1518.001Security Software Discovery

discovery

T1543.003Windows Service

persistenceprivilege escalation

T1547.001Registry Run Keys / Startup Folder

persistenceprivilege escalation

T1553.002Code Signing

defense impairment

T1559Inter-Process Communication

execution

T1560.001Archive via Utility

collection

T1573.001Symmetric Cryptography

command and control

T1574.001DLL

stealthexecution

T1622Debugger Evasion

stealthdiscovery

T1678Delay Execution

stealth

T1680Local Storage Discovery

discovery