Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘The Roads Both Taken’ appeared first on Security Boulevard.

Migrating from on-premises infrastructure to the cloud is an important step for any business seeking to modernize operations, improve scalability, and (potentially) reduce costs. Using Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE) and the 7 Rs migration framework can help you streamline this transition. Let’s look at what moving from on-prem to cloud looks like and what might be involved, from infrastructure to application refactoring.

The post Time to Migrate from On-Prem to Cloud? What You Need to Know appeared first on Security Boulevard.

In today’s rapidly changing digital environment, APIs play a crucial role in modern business, facilitating smooth connectivity and data sharing. Yet, this interconnected nature brings significant security and privacy risks, as evidenced by the Federal Trade Commission's (FTC) recent settlement with GoDaddy. This settlement serves as a stark reminder that strong API security is no longer just a good security practice but is now a legal obligation.

GoDaddy’s API Security Breaches

The FTC's actions against GoDaddy arose from the company’s failure to implement suitable security measures, which resulted in repeated data breaches between 2019 and 2022. These incidents exposed sensitive customer information, including usernames, passwords, and employee credentials. The FTC’s investigation highlighted several critical API security shortcomings:

• Inadequate API Authentication: One API from GoDaddy compromised sensitive customer data by lacking multi-factor authentication (MFA) and encryption.
• Insufficient API Monitoring: GoDaddy did not implement vital security features such as rate-limiting, logging, and anomaly detection, which allowed unauthorized access to 1.2 million customer records.‍
• Weak Access Controls: The company's APIs disclosed admin credentials and encryption keys, enabling attackers to compromise websites.

FTC-Required API Security Measures

As part of this settlement, the FTC imposed a comprehensive security regimen on GoDaddy, introducing, among other things, various API security requirements. These requirements reflect the FTC’s increased scrutiny of API security and offer a clear structure for businesses to adopt:

• Encrypted API Communications: APIs used for delivering services or involving personally identifiable information (PII) must utilize HTTPS for all requests, with TLS encryption for data in transit.
• Access Control: API requests should be authenticated using a method that safeguards authenticity at the session level and includes adequate protections against session hijacking and information tampering.
• Rate Limiting: API connections must implement suitable rate limiting to guard against abuse and distributed denial-of-service attacks.
• Monitoring & Anomaly Detection: Both inbound and outbound API traffic should be diligently monitored for suspicious activities and attacks.‍
• Audit Logs & Incident Response: API security logs must be maintained and analyzed to detect and respond to breaches.

Implications for Law and Business

The GoDaddy settlement highlights the significant legal and business ramifications that arise from inadequate API security. Companies that neglect API security may face several consequences, including:

• Regulatory Risks: The FTC has shown a readiness to take action against companies with insufficient API security measures. Noncompliance can lead to scrutiny from the FTC, financial penalties, and government oversight.
• Reputation Damage: API security breaches can intrinsically harm a company’s reputation, reducing customer trust and inflicting long-term damage to the brand.‍
• Operational disruptions: A compromised API can result in data theft, fraud, and service disruptions that affect business continuity and revenue

How Salt Security Can Assist

Salt Security is the foremost API security platform that aids organizations in discovering, protecting, and managing their APIs at scale. The Salt platform offers a full range of capabilities to meet the FTC’s API security requirements, helping organizations develop and maintain a robust API security framework, including:

• API Discovery and Inventory: Automatically identify and catalog all APIs, including shadow APIs, third-party APIs, and legacy systems.
• API Posture Governance: Continuously assess and monitor your APIs’ security posture, delivering insights into potential risks and improvement areas. This includes identifying and mitigating vulnerabilities, enforcing security protocols, and tracking compliance with regulations.
• API Threat Protection: Immediately detect and prevent API attacks, including those from the OWASP Top 10 and complex business logic threats.
• API Vulnerability Management: Spot and address API vulnerabilities before exploitation, including issues linked to authentication, authorization, and data exposure.
• API Compliance: Ensure adherence to regulatory frameworks and standards, such as the API security requirements espoused by the FTC, offering tools and reporting features to validate compliance with security best practices.

By adopting the Salt Security platform, organizations can methodically tackle API security threats, reduce potential legal and business fallout, and protect their digital assets. Schedule a demo to see Salt Security in action.

The post The FTC Is Watching: GoDaddy’s Settlement Sends a Clear Message on API Security appeared first on Security Boulevard.

S4 EP 5: What’s changed, what’s working, and how to prepare for when, not if, incidents hit critical infrastructure.

The post How Critical Infrastructure Leaders Are Rethinking Cybersecurity appeared first on Security Boulevard.

Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), was fired by Donald Trump in 2020 for publicly affirming that the presidential election was secure and free from widespread fraud. Fast-forward to April 2025: Trump, now back in the White House, issued an executive order revoking Krebs’ security clearances and ordering […]

The post Trump’s Retaliation Against Chris Krebs — and the Cybersecurity Industry’s Deafening Silence appeared first on rud.is.

The post Trump’s Retaliation Against Chris Krebs — and the Cybersecurity Industry’s Deafening Silence appeared first on Security Boulevard.

Exploiting SMS: Threat Actors Use Social Engineering to Target Companies

The post Exploiting SMS: Threat Actors Use Social Engineering to Target Companies appeared first on Security Boulevard.

How modern secrets management shapes culture, reduces friction, and clears the way for developer innovation

The post From maintenance to innovation: The cultural impact of managed secrets appeared first on Security Boulevard.

Mend.io continues to deliver uninterrupted, multi-source vulnerability protection.

The post MITRE CVE Program Uncertainty: Mend.io’s commitment to uninterrupted vulnerability protection appeared first on Security Boulevard.

Introduction In today’s digital era, security breaches can occur in the blink of an eye. Telegram Desktop is renowned for its secure, user-friendly messaging interface, but what if the data used to provide seamless experience could also be your greatest problem? Our investigation into three seemingly harmless PyPI color packages revealed a hidden background functionality […]

The post From PyPI to the Dark Marketplace: How a Malicious Package Fuels the Sale of Telegram Identities appeared first on Blog.

The post From PyPI to the Dark Marketplace: How a Malicious Package Fuels the Sale of Telegram Identities appeared first on Security Boulevard.

A whistleblower in the NLRB said in sworn testimony that staffers within the Musk-led DOGE group breached agency systems, exfiltrated sensitive data, and used tools and techniques similar to those wielded by cybercriminals to hide their actions.

The post Whistleblower: Musk’s DOGE Stole Data, Caused Breach at U.S. Agency appeared first on Security Boulevard.

Slash SOC response times from hours to minutes with Morpheus AI—register for our live AI workshop on May 7 to transform your Tier 1/2 operations.

The post AI Workshop: Fully Automate Tier 1/2 SOC Tasks…At Scale appeared first on D3 Security.

The post AI Workshop: Fully Automate Tier 1/2 SOC Tasks…At Scale appeared first on Security Boulevard.

Learn how to secure embeddings against poisoning, leakage, and inversion attacks.

The post Vector and Embedding Weaknesses in AI Systems appeared first on Security Boulevard.

Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation.

Background

The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding changes around the MITRE CVE Program. As the situation continues to evolve, we will continue to provide updates as new information is released.

FAQ

What is the current status of the MITRE CVE Program?

As of April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the MITRE CVE Program for one year. In a post and update to their website, CISA confirmed the extension, and a spokesperson added that they “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”

pic.twitter.com/DYv4uKzLrq

— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025

When did CVE Board Members find out about the expiration of the MITRE CVE Program and other related programs?

CVE Board members received a notification from MITRE on April 15, 2025. This notification was circulated on social media and picked up in news articles. Tenable published a blog post about the forthcoming expiration and updated it on April 16 upon news of the subsequent renewal.

What is the importance of the CVE Program?

The CVE Program provides the industry with a common identifier used for identifying vulnerabilities which in turn allows the industry to fully track all affected products, remediations, tactics, techniques and procedures (TTPs) and risk measurements for a vulnerability. Without this we run the risk of being unable to accurately map active exploitation and associated risk to that vulnerability.

One important function that the CVE program serves is to operate as a CVE Naming Authority (CNA) of last resort, particularly when there are disputes over CVE issuance. This helps to minimize conflicting reports and duplicate records.

What is the value of having a CVE Naming Authority (CNA)?

The CVE Program enables various entities to become a CNA. The CNA program allows vendors, researchers, open source developers and others to reserve and assign CVEs while providing information about a vulnerability. Currently there are over 450 CNAs that participate in the CVE Program.

What is Tenable’s relationship with the CVE Program?

Tenable is a CNA within the CVE Program and, as such, issues CVEs for its own products and vulnerabilities in other products discovered by its research team for which there is no CNA.

What about the announcements of efforts from the CVE Foundation and GCVE?

On the morning of April 16, 2025, the CVE Foundation published a press release regarding an effort for transitioning the CVE program to a non-profit foundation established by active CVE Board members. The CVE Foundation aims to move the CVE Program away from a government-funded project to eliminate the risk of “a single point of failure in the vulnerability management ecosystem.”

Additionally, we are aware of other efforts being launched, including the Global CVE (GCVE) allocation system by the Computer Incident Response Center Luxembourg (CIRCL). According to their FAQ, GCVE is a “decentralized system for identifying and numbering security vulnerabilities.” The GCVE site notes that existing CNAs can become GCVE Numbering Authorities (GNAs) and would have autonomy to define their own policies for the identification of vulnerabilities.

Tenable will continue to monitor these evolving efforts surrounding CVE and other programs and update the community as we learn more.

How is Tenable impacted by the interruptions to CVE issuance at both MITRE and the National Vulnerability Database (NVD)?

With uncertainty around interruptions to the CVE Program, Tenable has reserved a sufficient number of CVEs for disclosing vulnerabilities in our products and those discovered in other products.

Tenable is not dependent on either MITRE or NVD for sourcing the logic needed to determine if a product is vulnerable or not. We source our coverage from vendor advisories, which will enable us to continue providing coverage as long as vendors publish security advisories.

Get more information

• Tenable Blog: MITRE CVE Program Funding Extended For One Year
• Tenable Blog: Recent NVD Delays Won’t Affect Tenable Vulnerability Management Customers Thanks To Our Diverse Scoring Sources
• CVE Foundation
• Global CVE Allocation System (GCVE)

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal appeared first on Security Boulevard.

Author/Presenter: Mike Larkin

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – 101 Things Your Application is Doing Without Your Knowledge appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Anachronym Challenge’ appeared first on Security Boulevard.

Yesterday's headlines have sent ripples through the cybersecurity and software supply chain communities: MITRE announced that U.S. government funding for the CVE (Common Vulnerabilities and Exposures) database was set to expire today. Overnight, the CVE Foundation emerged with a plan to maintain the program before the Critical Infrastructure and Security Agency (CISA) announced it has extended support for the program this morning. As the backbone of the global vulnerability identification system, CVE has long served as the industry’s shared language for describing digital flaws.

The post What’s happening with MITRE and the CVE program uncertainty appeared first on Security Boulevard.

The 2025 PyPI supply chain attack is a stark reminder of just how vulnerable cloud ecosystems remain to sophisticated, stealthy, and evolving threats.

The post Why the 2025 PyPI Attack Signals a New Era in Cloud Risk appeared first on Security Boulevard.

Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute.

This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone benefits from. Losing it will bring us back to a world where there’s no single way to talk about vulnerabilities. It’s kind of crazy to think that the US government might damage its own security in this way—but I suppose no crazier than any of the other ways the US is working against its own interests right now...

The post CVE Program Almost Unfunded appeared first on Security Boulevard.

This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. For details on ToneShell and StarProxy, go to Part 1.IntroductionIn addition to the new ToneShell variants and StarProxy, Zscaler ThreatLabz discovered two new keyloggers used by Mustang Panda that we have named PAKLOG and CorKLOG as well as an EDR evasion driver (SplatCloak) on Mustang Panda’s staging server. In Part 2 of this series, we will analyze these keyloggers and the EDR evasion driver.Key TakeawaysMustang Panda continues to create new tooling in targeted attacks.PAKLOG is a keylogger that the group uses to monitor keystrokes and clipboard data and employs a custom character encoding scheme to obfuscate the log data.CorKLOG is also a keylogger deployed by Mustang Panda that uses a 48-character long RC4 key to encrypt the contents of the key logger capture file. Persistence is maintained by creating services or scheduled tasks.SplatCloak is a tool used by Mustang Panda that disables kernel-level notification callbacks for four Windows Defender-related drivers and Kaspersky drivers. The developers implemented code obfuscation techniques, including control flow flattening and mixed boolean arithmetic, to hinder analysis.Technical Analysis The technical analysis in this section focuses on the keyloggers, PAKLOG and CorKLOG, along with SplatCloak. Both PAKLOG and CorKLOG are straightforward keyloggers, but CorKLOG includes persistence mechanisms. Additionally, both keyloggers obfuscate log files to conceal their activity. SplatCloak, deployed by SplatDropper, is a Windows kernel driver designed to disable EDR-related routines implemented by Windows Defender and Kaspersky, enabling it to evade detection.PAKLOGPaklog is a keylogger that utilizes high-level Windows APIs to capture keystrokes and monitor clipboard activity. The keylogger then encodes this data and writes it to a local file. Paklog lacks built-in exfiltration capabilities, suggesting that Mustang Panda mainly uses it to collect data and leverages other methods for data exfiltration. Paklog is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious Paklog DLL (pa_lang2.dll). The PACLOUD.exe binary is used to sideload the Paklog DLL which starts the keylogger functionality. The sections below provide more information about Paklog.The Paklog DLL (pa_lang2.dll) includes a malicious export function named ASH_LANG2_add, which performs the following actions:Keylogging Setup: Utilizes the SetWindowsHookExW API, with idHook set to WH_KEYBOARD_LL, and a custom hook procedure.Data Logging: The custom hook procedure tracks keystrokes within the foreground window and logs the information in the following format:%26lt;timestamp%26gt; %26lt;window_text%26gt; %26lt;process_full_path%26gt; timestamp: The precise time the key was pressed, formatted as %Y-%m-%d %H:%M:%S.window_text: The text of the foreground window.process_full_path: The full path of the process active in the foreground. Key Mapping: Each key's virtual code is mapped to a specific string that represents the corresponding key pressed by the user.In addition to keylogging, Paklog can be used to monitor clipboard activity and extract its contents. Whenever the user presses the Ctrl + V key combination, the malware intercepts the request, retrieves the clipboard data, and copies it to a buffer. Both the keystrokes and clipboard data are encoded and saved to the file: C:\\Users\\Public\\Libraries\\record.txt.PAKLOG uses a simple encoding mechanism to encode the characters in the buffer.Uppercase charactersIf the ASCII code of the character is below 0x5a (the uppercase character range), the new character code is determined using the formula:new_char_code = (orig_char_code - 0x3e % 0x1a) + 0x41Lowercase charactersIf the ASCII code of the character is above 0x5a (the lowercase character range), the new character code is determined using the formula:new_char_code = (orig_char_code - 0x5e % 0x1a) + 0x61CorKLOGCorkLOG is another keylogger designed to capture keystrokes, storing the captured data in an encrypted file using a 48-character RC4 key. To ensure it runs continuously, the keylogger establishes persistence on the system by creating services or scheduled tasks. CorkLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). Mustang Panda likely intended on the executable being used to sideload the DLL to activate the keylogger. However, due to an error, the executable does not sideload the DLL, since the executable does not load a DLL with CorKLOG DLL’s filename.The CorKLOG DLL achieves persistence through one of two mechanisms, depending on its privilege level. If it detects that it is running with administrator privileges, the malware installs itself as a service. The second persistence mechanism creates a scheduled task called TabletlnputServices. The scheduled task is set to run every 10 minutes using the following command-line:schtasks /create /tn TabletlnputServices /tr %26lt;FILENAME%26gt; /sc minute /mo 10 /fCorKLOG then executes schtasks a second time to run the task immediately.The keylogging code records its output to a file, encrypting the contents with RC4 using the key fkpioefpoea$@^Tf0-0-gepwf09IJGEJ0IFAPKO456SG894E before writing them to disk.CorKLOG includes a configuration file stored in the .config section of the binary. While the configuration file for this sample is missing, our analysis suggests that it typically contains the following values:Service nameService display nameFolderThe code snippet below illustrates the multi-stage decryption process applied to the configuration values. This process uses the same XOR key, but begins at four different offsets within the key, performing a series of XOR operations on the encrypted string.void crypto_xor_decrypt(PCSTR buffer, int32_t size)
{
uint8_t index = 0;
if (size)
{
// First decryption pass, the xor key starting location is at the beginning of the xor key
do
{
// xor key length := 0x3f
buffer[index] ^= xorkey[index & 0x3f];
index += 1;
} while (index %26lt; size);
PVOID buffer_2 = buffer;
int32_t copy_of_size = size;
int32_t copy_of_size_1;
// Second decryption pass, the xor key starting location is 2 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer_2 ^= xorkey[(2 - buffer + buffer_2) & 0x3f];
buffer_2 += 1;
temp_str_len_remaining = str_len_remaining;
str_len_remaining -= 1;
} while (temp_str_len_remaining != 1);
PVOID buffer_1 = buffer;
int32_t str_len_remaining_1 = size;
int32_t temp_str_len_remaining_1;
// Third decryption pass, the xor key starting location is 5 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer_1 ^= xorkey[(5 - buffer + buffer_1) & 0x3f];
buffer_1 += 1;
temp_str_len_remaining_1 = str_len_remaining_1;
str_len_remaining_1 -= 1;
} while (temp_str_len_remaining_1 != 1);
uint32_t offset = 0xa - buffer;
int32_t temp_str_len_remaining_2;
// Forth decryption pass, the xor key starting location is 10 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer ^= xorkey[(offset + buffer) & 0x3f];
buffer = &buffer[1];
temp_str_len_remaining_2 = size;
size -= 1;
} while (temp_str_len_remaining_2 != 1);
}
}SplatDropperSplatCloak (discussed later) is deployed by SplatDropper, a small utility that drops the driver onto the system, executes it, and then removes itself to avoid leaving traces. SplatDropper is delivered inside a RAR archive (e.g., kb.rar), which contains two files: a legitimate executable (BugSplatHD64.exe) and the SplatDropper DLL (BugSplat64.dll).The legitimate executable sideloads the SplatDropper DLL, which performs the following actions:Resolves Windows APIs by hash.Decrypts the kernel driver (SplatCloak) using a single-byte XOR key (0x5a) and writes the result to disk.Creates a Windows service to execute SplatCloak.Waits 5 seconds to allow SplatCloak to run.Stops the Windows Service.Cleans up (removes the Windows service and deletes SplatCloak).SplatDropper resolves the required Windows API calls by hash. The hash algorithm is identical to the methods used in tonepipeshell and tonepipeshell_alt, but with a seed value of 131313 (instead of previously observed values that include 13131313 and 1313131313). The API hashing algorithm is shown in the code snippet below:char* apiname_1 = apiname;
int32_t api_hash = 0;
while ((int32_t)*(uint8_t*)apiname_1)
{
api_hash = api_hash * 131313 + (int32_t)*(uint8_t*)apiname_1;
apiname_1 = &apiname_1[1];
}
return (uint64_t)api_hash;SplatDropper generates three random strings, consisting of characters from A-Z, to create the filename, service name, and service display name. The algorithm is depicted in the code snippet below.// Generate a char buffer containing the ascii codes for A-Z
char alphabet[0x1a];
for (int32_t i = 0; i %26lt; 26; i += 1)
alphabet[(int64_t)i] = i + 0x41;
out_buffer[str_length] = 0;
// Construct a random string from the generated alphabet into
// the out_buffer
for (int32_t i_1 = 0; i_1 %26lt; str_length; i_1 += 1)
{
int32_t random_number = j_rand() + i_1;
if (random_number %26lt; 0)
random_number = -(random_number);
out_buffer[(int64_t)i_1] = alphabet[(int64_t)((int64_t)random_number % 26)];
}SplatCloakThe sole purpose of the SplatCloak driver is to identify and disable, or remove notification hooks and callbacks associated with Windows Defender and Kaspersky. SplatCloak makes use of a revoked certificate (certificate thumbprint: 09ededdcbdb0c03c850f1d29920e412348120c8d) issued to Xtreaming Technology Inc. with the start date of 2010-02-22 00:00:00 UTC and the end date of 2012-02-22 23:59:59 UTC. The threat actor is exploiting the fact that Windows allows drivers with revoked certificates to be loaded. ThreatLabz also confirmed that this driver will be successfully loaded on a fully patched Windows 10 system. Other interesting features implemented in SplatCloak are control flow flattening and mixed boolean arithmetic used to hinder reverse engineering efforts by malware analysts.The SplatCloak driver, similar to its dropper (SplatDropper), dynamically resolves Windows API functions; however, the code does not utilize API hashing. Instead, the driver resolves API calls by retrieving the SYSTEM_MODULE_INFORMATION structure via ZwQuerySystemInformation (with the SystemInformationClass parameter set to SystemModuleInformation) and traversing the returned SYSTEM_MODULE_ENTRY structure to locate the base address of ntoskrnl.exe. This process is shown in the figure below.Figure 1: Relationship between the system module information structure and the system module structure. Using the base address of ntoskrnl, the SplatCloak driver parses its Portable Executable (PE) structure to obtain the address of MmGetSystemRoutineAddress. This function is used to resolve various kernel-level Windows APIs, including the locations of PsProcessType and PsThreadType, which are also exported by ntoskrnl. Additionally, RtlGetVersion is resolved to retrieve the Windows build number.The SplatCloak driver retrieves the callback routine list pointers supplied by the system, which are shown in the table below:List NameList LengthDescriptionPspCreateProcessNotifyRoutine64List of function pointers that are executed when a process is created.PspCreateThreadNotifyRoutine64List of function pointers that are executed when a thread is created.PspLoadImageNotifyRoutine64List of function pointers that are executed when an image is loaded into memory.Table 1: List of kernel-level notification routines identified by the SplatCloak driver.This retrieval is accomplished by analyzing the bytes of the resolved functions to identify a specific pattern that points to their associated notification list of function pointers. The logic for each routine is illustrated in the figure below.Figure 2: SplatCloak logic for locating the routines: (left to right) PspCreateProcessNotifyRoutine, PspCreateProcessNotifyRoutine, and PspLoadImageNotifyRoutine.The CallbackListHead (registry related callbacks) location is also determined by inspecting the bytes in CmUnRegisterCallback, as shown in the figure below.Figure 3: Shows the process used by the SplatCloak driver to find the CallbackListHead location. If the Windows dwBuildNumber retrieved via RtlGetVersion is 19000 or higher (Windows 10 version 2004 or later), the driver proceeds to unregister and disable the identified callbacks. However, it’s worth noting that even in newer Windows versions with build numbers above 19000, the driver may not function correctly, as the opcodes for inspected functions have changed.To identify whether a callback or notification routine should be disabled, the SplatCloak driver retrieves the FullPathName from _SYSTEM_MODULE_ENTRY using ZwQuerySystemInformation as previously described. The malware then examines the filename to determine if it matches any of the Windows Defender-related drivers listed in the table below.Driver Description wdfilter.sys Responsible for monitoring and filtering file system activity to detect and prevent malicious behavior.wdboot.sysOperates during system boot to ensure protection against threats before the operating system fully loads.wddevflt.sysDesigned to monitor and filter device-level operations, providing an additional layer of security for hardware interactions.wdnisdrv.sysInspects and filters network streams to detect and block potential threats transmitted over the network.Table 2: List of Windows Defender-related files monitored by SplatCloak.The Kaspersky check involves enumerating each callback and notification routine within the system to pinpoint the binary associated with the function they reference. Once the corresponding binary is identified, the SplatCloak driver maps the binary into memory and analyzes its structure to locate the IMAGE_DIRECTORY_ENTRY_SECURITY. This entry provides a pointer to the code signing certificate embedded within the binary.Unlike other entries in the IMAGE_DATA_DIRECTORY array, which typically use relative virtual offsets, the IMAGE_DIRECTORY_ENTRY_SECURITY uses a physical file offset to indicate the location of the signed certificate. This physical offset points to where the certificate is stored, which is typically found in the file overlay — the data appended to the binary beyond the standard PE file structure. This process is shown in the figure below.Figure 4: SplatCloak process for determining the location and size of the code signing certificate. The SplatCloak driver uses this offset, if present, to locate the certificate and examine the associated bytes for the keyword kaspersky.With the exception of callbacks related to PsProcessType and PsThreadType, any callbacks or notifications that match either Kaspersky or drivers associated with Windows Defender are removed using the appropriate APIs.PsSetCreateProcessNotifyRoutineThe remove parameter is set to True.PsSetCreateProcessNotifyRoutineExThe remove parameter is set to True.PsSetCreateProcessNotifyRoutineEx2The remove parameter is set to True.PsRemoveCreateThreadNotifyRoutinePsRemoveLoadImageNotifyRoutineCmUnRegisterCallbackFor PsProcessType and PsThreadType, the OB_CALLBACK_ENTRY_t structure's Enabled value is set to FALSE, effectively disabling the callback. Both PsProcessType and PsThreadType are of type _OBJECT_TYPE. These structures and their relationships are depicted in the figure below.Figure 5: Shows path from _OBJECT_TYPE structure to the OB_CALLBACK_ENTRY_t structure. (Reference: https://github.com/wavestone-cdt/EDRSandblast) Threat AttributionFigure 6: Diamond model highlighting TTP overlap with past Mustang Panda activity.Zscaler ThreatLabz attributes this intrusion to Mustang Panda. Nearly all of the tools discussed in this analysis were hosted as RAR archives on the same server the threat actor used to deliver ToneShell (see Part 1). Tool overlap—particularly the inclusion of ToneShell—strongly links Mustang Panda to this activity. Additionally, technical overlaps in newly discovered tools align with prior Mustang Panda malware, including techniques such as control flow flattening, mixed boolean arithmetic, and RC4 encryption, which are hallmark features of Mustang Panda’s customized PlugX variant.The discovery of StarProxy (see Part 1) further strengthens the attribution, as it employs FakeTLS—similar to ToneShell. SplatDropper shares similarities in the API hashing techniques observed in the ToneShell variants covered in Part 1. From a victim’s perspective, aligning with the Diamond Model framework, Mustang Panda’s historical targeting of Myanmar and NGOs reinforces the connection, as these entities have been frequent targets of this threat actor over the years.ConclusionThe absence of a direct connection to a C2 server suggests that Mustang Panda likely relies on hands-on-keyboard access during their intrusions or employs additional tooling to facilitate the execution of their keyloggers (PAKLOG, CorKLOG) and EDR evasion driver (SplatCloak). This also implies that keylogger data must be exfiltrated through other methods. As highlighted in the first blog of this two-part series, the tools are designed with several techniques to mitigate detection. Specifically, the SplatCloak driver is tailored to evade Microsoft Defender and Kaspersky, and its dropper ensures the driver is removed from disk before execution.Overall, Mustang Panda demonstrates a calculated approach to achieving their objectives. Continuous updates, new tooling, and layered obfuscation prolongs the group’s operational security and improves the efficacy of attacks.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Mustang Panda at various levels with the following threat names:Win32.Backdoor.ToneshellWin32.Trojan.MustangPandaIndicators Of Compromise (IOCs)File indicatorsMD5 HashSHA1 HashSHA256 HashFilenameDescriptionf8e865c9ed99b1e4725f5ccdc3ef0ba7b2d865e243ea3d642c3a0a2c7d0ea52b79a18ec46f3a2913a59309c6b4b38040cfb08a4e04404e6f93215fd72dbc52781d99ff29key.rarRAR archive file a4eb2d1252b90f4b1d77ed374092a1625747a2dd63c97f97ee439482dfd43890410439026c01b3d9f7929d8d18747cb6feba416e8702f853a303a63ae37af38e95af79cdpa_lang2.dllThis is PAKLOG which is a Windows keylogger. e0ee591b4a97a9876f4f9e75be3fdd087d1bd5191ed9c42ead2fc51400d3a398df0c3f7b d72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7PACLOUD.EXELegitimate and signed binaryade40faa90439abdac911ce1ac50e4b9361ad9f8d0b3f248a35e8d570ca58e8e152573cd3fa4e089bf7bf183d7e746b9eb02b852df5673d7ab39008252e3954fc70d2cbakb.rarRAR archive60138b3f2791742dd65bdf29376055e8f6ade6bbdd1828add500aa82505567cf9f21efaf1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84aBugSplatHD64.exeLegitimate and signed binarycbb7309092862f0999f7a442e17b1ba6ae896332d3b40b627f44e6dc038f8c2396ecaf4d86f6d29ef0532236ad180dcf9a4b0c1ac1f8f2ec9cec7a5b312f4e940df7edceBugSplat64.dllThis is SplatDropper which is responsible for dropping and executing SplatCloak.3385a945449774d71377d3a08e5d0d43 3e8cb0b1f93da475889dd065ee21261e1b6f6fffbefbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c This is SplatCloak which is a malicious driver dropped by BugSplat64.dll.6c4eb9be8ea20055b88c5b703d41d1d22696467025b0d1052d11d3f7bc68c6cb4cb635a59c61a53b787bb42b12a3a44151ce1348669b4c745d087fb602df2b28d0fd92b5src.rarRAR archivee7552a105efaadfa7fd3b7a5fc7d46bf5a7a1bfa0972a155928d9e0fb95c015fc00eb5103938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5flcommute.exeLegitimate and signed binary91f1f4bd673807647126e65ab8fd15aef7cc59edd9fa8fd9b0d7d2316d86c348458b81013a59407db18f575adf956027c8e8af961e1e2ef01d097f6c0a934aeaad45de03mscorsvc.dllCorKLOG is a keylogger.Certificate details of the signed binariesSHA256 HashBinary NameName of the Signer1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84aBugSplatHD64.exeBugSplatd72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7PACLOUD.exeConeXware, Inc.3938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5flcommute.exeInternational Business Machines Corporationbefbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c(the dropped driver)Xtreaming Technology Inc.Network indicatorsTypeIndicatorPayload hosting server103.13.31[.]75/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/Host indicatorsTypeIndicatorKeylog file used by PAKLOGC:\\Users\\Public\\Libraries\\record.txtSplatCloakTemporarily drops a .sys into C:\Users\public\ MITRE ATT&CK FrameworkIDTacticDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingAll the DLLs in this new toolset are sideloaded by legitimate and signed Windows binaries.T1056.001Input Capture - KeyloggingPAKLOG is a Windows user mode keylogger that captures the user keystrokes. T1115Clipboard DataPAKLOG captures the clipboard’s content.T1027Obfuscated Files or InformationPAKLOG encodes the contents of the file capturing keystrokes. Windows driver uses control flow flattening.T1573.001Symmetric CryptographyXOR encryption and RC4 encryption algorithms used by various Mustang Panda tools are symmetric cryptography algorithms.T1562.001Impair Defenses: Disable or Modify ToolsSplatCloak contains capabilities to disable Windows Defender and Kaspersky kernel-level monitoring callbacks.TA0002ExecutionCorKLOG will create a Scheduled Task.T1569.002System Services: Service ExecutionCorKLOG and SplatCloak are registered as Windows services.

The post Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 appeared first on Security Boulevard.

IntroductionThe Zscaler ThreatLabz team discovered new activity associated with Mustang Panda, originating from two machines from a targeted organization in Myanmar. This research led to the discovery of new ToneShell variants and several previously undocumented tools. Mustang Panda, a China-sponsored espionage group, traditionally targets government-related entities, military entities, minority groups, and non-governmental organizations (NGOs) primarily in countries located in East Asia, but they have also been known to target entities in Europe.This blog post is the first in a two-part series that covers new variants of ToneShell and a new tool that we have named StarProxy, both found on Mustang Panda’s staging server. The second part of the blog explores two keyloggers and an EDR evasion driver, also hosted on the same staging server.Key TakeawaysToneShell, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers.ThreatLabz discovered a new lateral movement tool used by Mustang Panda that we have named StarProxy, which leverages the FakeTLS protocol to proxy traffic and facilitate attacker communications.Mustang Panda remains active in targeting organizations and individuals in Myanmar.Mustang Panda employs DLL sideloading techniques, typically bundling malicious tools inside RAR archives paired with legitimate, signed binaries.Technical AnalysisMustang Panda packs their tools in archive files hosted on a staging server. All the tools detected by ThreatLabz utilized DLL sideloading to execute malicious payloads to evade endpoint detection products.We will first examine new versions of a known Mustang Panda tool known as ToneShell. ToneShell is designed to download malicious payloads and execute attacker-specified commands on target machines.ToneShellToneShell is one of Mustang Panda's most frequently used malware tools. Since the core functionality has already been publicly documented, this analysis focuses solely on the recent changes worth highlighting. This section examines three variants of ToneShell: Variants 1 and 3 were discovered on Mustang Panda’s staging server, while Variant 2 was identified through a third-party malware repository bundled in a ZIP file instead of a RAR file. All three ToneShell variants were found in archive files, which include a legitimate executable (EXE) file and a DLL file (ToneShelll) which is sideloaded. ToneShell VariantArchive FilenameExecutable NameDLL Name1cf.rarmrender.exelibcef.dll2ru.zipFastVD.exeLogMeIn.dll3zz.rargpgconf.exelibgcrypt-20.dllTable 1: Example ToneShell variant filenames.Seed generationRandom number generators are utilized in multiple sections of ToneShell’s code for two primary purposes:As a fallback mechanism to generate a 16-byte GUID if CoCreateGuid() fails (as described in the following section).To generate a rolling XOR key, which encrypts and decrypts data exchanged between the victim’s machine and the C2 server.Each random number generator requires a seed, which ToneShell derives using various methods. These methods are listed in the table below.VariantDescriptionVariant 1Derives the seed by calling GetTickCount and adding a constant value to it.Variant 2Derives the seed by calling GetTickCount twice and multiplying the return values together.Variant 3Derives the Unix epoch timestamp from the Windows FILETIME format using the code shown below.Table 2: ToneShell random number seed generation.seed = (*(_QWORD *)&SystemTimeAsFileTime - 116444736000000000i64) / 10000000;Creation of GUID fileEach ToneShell variant observed in-the-wild generates a GUID, or a value derived from the GUID, and writes it to a file on the filesystem. This GUID is used to uniquely identify the infected machine. Recent variants display subtle changes in how this file is created. The table below shows how the three different ToneShell variants create the GUID file.VariantDescriptionVariant 1Calls CoCreateGuid to create a 16-byte GUID.If this fails, an array of 16 bytes is created, and populated with random bytes using a linear congruential generator (LCG).The generated 16-byte value is written to a file (C:\Users\public\description.ini).Variant 2Calls CoCreateGuid to create a 16-byte GUID.If this fails, an array of 16 bytes is created, and populated with random bytes using a linear congruential generator (LCG).Hashes the GUID to generate a 32-bit hash using a custom hash algorithm.The 32-bit hash value is then written to a file (C:\ProgramData\bcryptprimitive.appcore.tbi).Variant 3Calls CoCreateGuid to create a 16-byte GUID.If this fails, the malware creates an array of 16 random bytes, using the rand() function.Randomly generates a value up to 64KB that is used to determine the length of an array, using a custom LCG.Creates and populates the variable length array with randomly generated bytes, using the rand() function.Writes the length of the array, the GUID, and the randomly generated array to a file (%temp%\cryption_event.ini) using the structure shown below.Table 3: Shows how each ToneShell variant creates the GUID file. struct GUIDFILE
{
DWORD total_length;
BYTE guid[16];
DWORD length_of_random_byte_array; // 64KB max size
BYTE random_byte_array[];
}Rolling XOR keyToneShell employs a rolling XOR key to encrypt and decrypt network traffic exchanged with its C2 server. This XOR key is generated using an LCG, seeded by values derived through methods previously described. The XOR key size varies across ToneShell variants, with Team T5 documenting sizes ranging from 0x20 to 0x200. Variant 1 uses a 0x100-byte XOR keyVariant 2 uses a 0x100-byte XOR key Variant 3 uses a 0x200 byte XOR keyThis aligns with Mustang Panda's tactic of rapidly iterating and modifying their tools, likely to evade detection.FakeTLS headerFakeTLS headers are a key feature of ToneShell, which helps disguise the malware’s network activity. They are used to mimic the TLS protocol in network traffic exchanged between the infected machine and the C2 server.Earlier ToneShell variants utilized the FakeTLS header with the bytes 0x17 0x03 0x03, corresponding to TLSv1.2. However, newer variants have introduced the FakeTLS header bytes 0x17 0x03 0x04, to spoof TLSv1.3. Interestingly, in Variant 2, the TLSv1.3 FakeTLS header was used for sending beacons, while the server continued responding with the older TLSv1.2 header.This modification appears to be an attempt by the threat actor to evade network signature-based detection systems that rely on identifying specific FakeTLS header patterns.C2 commandsToneShell variants continue to utilize a custom TCP-based protocol. Compared to earlier versions, these newer variants focus primarily on executing payloads received from the C2, reflecting Mustang Panda's pattern of iterating their tools, likely to evade detection while adopting a more minimalist design for remote shells.Variant 1 is a very minimal backdoor, which receives files and acts as a reverse shell. The table below shows the C2 commands supported by Variant 1.Command NumberDescription1Receives and processes the next command from the C2 server.2Creates an empty file at the C2-specified file path and stores the file handle.3Appends the bytes received to an open file handle (from Command 2).4Appends the bytes received to an open file handle (from Command 2), closes the file handle, and frees up the file path string in memory thereafter.5Creates a reverse shell (cmd.exe), redirecting both stdin and stdout. ToneShell keeps track of this subprocess using an ID received from the C2 server. A background thread is created to continually send the output from the subprocess back to the C2 server.6Finds the subprocess with the given ID and writes to its standard input.7Terminates the subprocess with the given ID.Table 4: C2 commands supported by Variant 1 of ToneShell.Variant 2 specifically includes functionality to download DLLs from the C2 and execute them within victim processes through DLL injection. The table below shows the C2 commands supported by Variant 2.Command NumberDescription1Receives and processes the next command from the C2 server.2Pauses operation for 3 minutes.3Terminates the current process.4Retrieves the name of the infected machine.5Identifies usernames that are not built-in accounts.6Specifies the file path to create a new file (used in Command 8).7Defines the size of the file to be downloaded (used in Command 8).8Creates and writes a DLL file likely used in conjunction with Command 10.9Updates the configuration for the executable path used in shellcode injection (Command 10). Defaults to C:\WINDOWS\system32\svchost.exe.10This command creates a child process using the victim executable path specified by command 9. If a particular user is targeted, Mustang Panda leverages the user’s token to create the process. ToneShell then decodes shellcode that is hardcoded into the malware with randomized padding bytes, and specific arguments, including dwGUIDHash (the 32-bit GUID hash), wUnkSig (an unknown signature), dwC2IPAddress (the IP address of the C2), and szFilePath (the path to the DLL that will be injected into the child process). The patched shellcode is then written to the child process, which will load the specified DLL by invoking LoadLibraryA(szFilePath). The first ordinal of this DLL is resolved by using GetProcAddress(hModule, 1) and the ordinal is called with the respective arguments: dwGUIDHash, wUnkSig, and dwC2IPAddress.Table 5: C2 commands supported by Variant 2 of ToneShell.ToneShell Variant 3 includes functionality to download files and create a subprocess that redirects standard input (stdin), standard output (stdout), and standard error (stderr) streams to the C2 server. The table below shows the C2 commands supported by Variant 3.Command NumberDescription3Creates an empty file at the C2-specified file path and stores the file handle.4Opens an existing file at the C2-specified file path, moves to the end of the file, and stores the file handle.5Appends bytes received from the C2 to an open file handle (from Command 3).6Deletes the file used in commands 3, 4, or 5.7Executes a subprocess using the command-line received from the C2, redirecting the stdin, stderr, and stdout subprocess.8Transfers bytes received from the C2 to the stdin subprocess and reads its output.9Retrieves the output of the subprocess.10Terminates the subprocess and closes all associated handles.Table 6: C2 commands supported by Variant 3 of ToneShell.StarProxyThreatLabz uncovered a new lateral movement tool associated with Mustang Panda’s operations, which we named StarProxy. This tool was found within a RAR archive hosted on the group’s staging server with the name client.rar. The archive contains two files: a legitimate, signed binary (IsoBurner.exe) and a malicious DLL (StarBurn.dll), which is the StarProxy tool. The StarProxy DLL is sideloaded when the IsoBurner.exe file is executed.Once active, StarProxy allows attackers to proxy traffic between infected devices and their C2 servers. StarProxy achieves this by utilizing TCP sockets to communicate with the C2 server via the FakeTLS protocol, encrypting all exchanged data with a custom XOR-based encryption algorithm. Additionally, the tool uses command-line arguments to specify the IP address and port for communication, enabling attackers to relay data through compromised machines. The figure below illustrates how StarProxy proxies traffic.Figure 1: High-level diagram of StarProxy activity.Given the features of the malware, and the use of command-line arguments, Mustang Panda likely uses StarProxy as a post-compromise tool to access systems that are not reachable directly over the Internet.InitializationThe StarProxy DLL contains a malicious export function named StarBurn_UpStartEx, which expects two command-line arguments: a C2 IP address and a port number. Upon execution, the DLL attempts to connect to the specified C2 IP address. If the connection fails, StarProxy will keep retrying until it succeeds, waiting for one second in between attempts.BeaconingOnce a connection to the C2 server is successfully established, StarProxy beacons to the C2 to receive commands. If the C2 server signals that there are no commands, StarProxy waits for one second before beaconing again. If the C2 server signals that there are further commands to execute, StarProxy makes additional requests to the C2 server to retrieve the commands and execute them.Packet encryption and decryptionAll messages exchanged between the client and the C2 server are encrypted using two hardcoded 0x100-byte XOR keys. Details of the XOR keys and the encryption algorithm are available on the ThreatLabz GitHub page.C2 protocolRequest HeaderAll messages sent by StarProxy to the C2 server are prefixed with a request header (SEND_HEADER), which includes the fields below.struct SEND_HEADER
{
BYTE fake_tls_header[3]; // 0x17 0x03 0x03.
WORD message_size; // Size of data after the FakeTLS header.
DWORD zero; // Zero bytes (start of encrypted data with a hardcoded key).
WORD message_type; // C2 message type.
WORD buffer_size; // Buffer size specific to each message type.
}Response header All messages sent by the C2 to StarProxy are prefixed with a response header (RECV_HEADER), which includes the fields below.struct RECV_HEADER
{
BYTE fake_tls_header[3]; // 0x17 0x03 0x03.
WORD buffer_size; // Size of the message body (RECV_BODY).
}Notably, the FakeTLS header in these messages is designed to impersonate the TLSv1.2 protocol similar to the earlier ToneShell variants.Response body (RECV_BODY)The RECV_HEADER is followed by the RECV_BODY, which includes the command number and data specific to the corresponding command. The generic structure of the RECV_BODY is shown below.struct RECV_BODY
{
DWORD unused1;
WORD command_number; // The ID of the command to be executed.
WORD unused2;
BYTE body[]; // Body data (variable length array).
}
Beacon messageAs mentioned in the beaconing section above, StarProxy sends a beacon message (CMD_0_MESSAGE) at regular intervals to check for commands to be executed. The structure of the beacon message is shown in the table below.struct BEACON_MESSAGE
{
SEND_HEADER send_header; // message_type = 0 to indicate beacon message.
DWORD hash_of_rand_arr; // The hash of a randomly generated array with variable length, computed using a custom hash algorithm.
DWORD size_of_rand_arr; // Number of bytes occupied by the random array. This is always a multiple of four.
BYTE rand_arr[]; // A variable-length random array, likely used to verify the correct decryption of messages from the client.
}StarProxy uses the following convoluted process to generate the array of random bytes:Calls GetLocalTime() to retrieve a SystemTime structure.Adds up all members of the SystemTime structure to generate a seed.The seed is used to initialize a pseudo-random number generator (PRNG) using srand().Generates a random number between 1 and 16. This value will be the variable length (in bytes) of the array containing 32-bit integers.The array is filled with randomly generated 32-bit integers, which are then used to generate a 32-bit hash.In response to the beacon message, StarProxy expects the following response format from the C2:struct BEACON_MESSAGE_RESPONSE
{
RECV_HEADER recv_header; // Contains the FakeTLS header and message size.
DWORD unused;
DWORD has_command; // 0: command data present; any other value: no data present.
}C2 command handlerThe StarProxy client supports 5 command IDs (RECV_BODY.wCmdNum). The table below describes each command ID and its purpose.Command IDDescription1Command 1 appears to be a ping command.2Command 2 also appears to be a ping command, implemented exactly as command 1. The purpose of this duplicated command is unclear.3Command 3 directs StarProxy to set up a TCP connection to a target IP or domain. Once the connection is established, StarProxy sends the newly created socket descriptor to the C2. StarProxy then sets up a background thread to receive data from the target and forward it back to the C2.Command 3 is used in conjunction with command 4 to establish two-way communication with the target.While this sample of StarProxy is hardcoded to set up a TCP connection, StarProxy contains code which supports both UDP and TCP connections.4Forwards message to specified socket descriptor.5Closes the socket descriptor specified by the StarProxy C2 server.Table 7: Lists StarProxy commands.The purpose of the duplicate command handlers 1 and 2 is not clear, but could suggest that StarProxy is still under development.To Be ContinuedIn Part 1, we explored Mustang Panda’s modifications to ToneShell and a new lateral movement tool that we discovered called StarProxy that is likely used for post-compromise activities and lateral movement. In Part 2, we will explore two new keyloggers and an EDR evasion driver, also discovered on Mustang Panda’s staging server.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Mustang Panda at various levels with the following threat names:Win32.Backdoor.ToneshellWin32.Trojan.MustangPandaIndicators Of Compromise (IOCs)File indicatorsMD5 HashSHA1 HashSHA256 HashFilenameDescription233214d22659aa85f32bb705812a0b22fcc7095f6ddbffb7c2ca29188c45bbdf4c922c66ede116e8f652728773363f6808fa8bbd5af873398e4bb5393c210677fa96a654cf.rarRAR archive hosted on attacker's server b695a31ea90e61cc08da1837d836655a03272f764bc0f6d80a830c164a5357cd9179030ea0f42337601429ffda00aa64b8e6102e2470b2388c132f96002f37d40f40d587libcef.dllToneShell DLL4fefc66a0f7e1b2ed8affc9c3ba66ec70d186cd1ecc525716ac08cbd5f59c58e44d082028fe76b434c9d57d5b82a786bcfac5aa3a75be88b19df5cd76e111af58c3c98c5mrender.exeLegitimate signed binary 4572914d6fd4b50604b30c761736ef7d1afde3bfe7ff7a9a164c9e6a0de12f5f1ce50b9a91d8b31259d8602539fb6eaa0588d6521bf01299ccd8ed830abfe2ace7aea54dclient.rarRAR archive hosted on the server db26dbad33580489204320c9c5ea400b81dce30dfb85d8a110f384ab72f23081f20f500dc1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8IsoBurner.exeLegitimate and signed binary 784bcd1f62b97589f479525d27f883cb70b286728cf006ae6da37d918d372b7cedd4085563aa30c452e4dc0aa2324ce891da1acfa90ce85476d2dd7ab85ff448f913af5eStarBurn.dllMalicious DLL - StarProxy 3ed1b60aada8ec3fc0965976c542dda5da01214c5df3ee4a5a6b99414e4bb1fd88f6eb3e649b32f2db7d71cd083e9af4fae2fb3c086f5ed73eac622f427f7fa5d513c605zz.rarRAR archive5788433d90e3297b32dfa009790490aa428c4da69023ec6ca7d253e5c643fd1c2689c55c69555f4d956fce11eac8fb6d7286c087d6acacf7971821ede1335e96a3c72736gpgconf.exeLegitimate and signed binary1b388ef6594415421ef1b3cd9502fc7a092cd5ad641ce749c100c2ad045e4aabb9bb7e90cf1f057bc8cb25b2d6d0704cef0655ea4d41ea247c51984b25635bd23c8ae109libgcrypt-20.dllToneShell DLL9afdcf5369eca11d412870f7cb805da920b4624781bdc1f670942dc07bf673abd1c5e70f21e271bde14b62a1c982ea3aefc1c42a7f5b412126e920e7dd4200cbf14fe475libgpg-error-0.dllN/A7c65d1e28fadf9b6d704b5c47016c05d67d777f491b89d052c709cec7762b91ab514d3e6a901fd9ef4044a872866ad9506cf3e17cbf58b93278ac3ca7e48820b3a228458Bandizip.exeLegitimate and signed binary2012bf5de269d9acd0bfd7250ab46c68337850d965dd9860162c2084d83d4113bac9559388e1b73318ba2107c2e70a59064d51e4fecd37ab6175735e43abfa8657d2cd91ark.x64.dllToneShell DLL5936b135905bee8f038b9266362f22c7f435900ebbc8a46c3b0b273d48b2ac149a35b194a9b1289383ffe3ee2bd0df96ad6918b9a7e27819e4bc10c3922d8bbd61cbd959ru.zipZip archived7ae078b2641b94c8042424a1387851b296c37ab1985c08bd3b194b129392c8d4d164399005754ced6f73a197a4a21c58da39d5e3ee84e484640765dbda2475f4ba2d3bdFastVD.exeLegitimate and signed binary6164f397ff13c56310e94af235a9aa02b2544370e041c2b3d38e5b1c0a22b4eab2d7058857e22a93fc31bd299871840864e82fa553e99501af7645102d07dceed2a8ef1aLogMeIn.dllToneShell DLLToneShell variantsThe table below shows details about the three ToneShell variants identified by ThreatLabz.VariantDescriptionVariant 1ITW Filename: libcef.dllMD5: b695a31ea90e61cc08da1837d836655aCompilation Time Stamp: Sun Dec 15 21:58:31 2024Variant 2ITW Filename: LogMeIn.dllMD5: 6164f397ff13c56310e94af235a9aa02Compilation Time Stamp: Tue Jan 14 02:42:26 2025Variant 3ITW Filename: libgcrypt-20.dllMD5: 1b388ef6594415421ef1b3cd9502fc7aCompilation Time Stamp: Thu Jan 02 09:48:51 2025Network indicatorsTypeIndicatorStaging server URL103.13.31[.]75/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/C2 domainwww.dest-working[.]comC2 domainwww.profile-keybord[.]comC2 IP address43.229.79[.]163C2 IP address43.254.132[.]217C2 IP address181.215.246[.]155Host indicatorsToneShell GUID file pathsThe following files are used to store the GUID or its derived values.%temp%\cryption_event.iniC:\\ProgramData\\bcryptprimitive.appcore.tbiC:\Users\public\description.iniCertificate details of the signed binariesSHA256 HashBinary NameSigner Name8fe76b434c9d57d5b82a786bcfac5aa3a75be88b19df5cd76e111af58c3c98c5mrender.exeJUNYUN LIMITEDc1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8IsoBurner.exeLSoft Technologies Inc69555f4d956fce11eac8fb6d7286c087d6acacf7971821ede1335e96a3c72736gpgconf.exeg10 Code GmbHMITRE ATT&CK FrameworkIDTacticDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingAll the DLLs in this new toolset are sideloaded by legitimate and signed Windows binaries.TA0011Command and ControlStarProxy and ToneShell variants have command-and-control capabilities.T1573Encrypted ChannelStarProxy uses two 256-byte XOR keys to encrypt and decrypt network packets using a custom algorithm. ToneShell variants use a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.T1090.001Proxy: Internal ProxyStarProxy is equipped with capabilities to route traffic between systems within a compromised network.T1573.001Symmetric CryptographyThe XOR encryption algorithms employed by Mustang Panda's tools are based on symmetric cryptography.TA0005Defense evasionEncrypted network packets exchanged between client and C2 server can be used to evade network security products.T1001.003Data Obfuscation: Protocol ImpersonationStarProxy and ToneShell variants use FakeTLS headers in network packets to impersonate various versions of TLS protocols and blend in with legitimate network traffic.T1027.007Obfuscated Files or Information: Dynamic API ResolutionToneShell uses a modified DJB2 algorithm to resolve APIs.T1055.001Process Injection: Dynamic-link Library InjectionToneShell uses DLL injection to execute payloads received from the C2 server.T1070.004Indicator Removal: File DeletionToneShell includes functionality to delete payload files received from the C2 server.T1134.002Access Token Manipulation: Create Process with TokenToneShell includes functionality to create sub-processes with a specific user’s token.T1087Account DiscoveryToneShell includes functionality to retrieve a list of user accounts.

The post Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 appeared first on Security Boulevard.