Chinese Hackers Use Kernel Rootkit to Conceal ToneShell Malware
A China-linked advanced persistent threat (APT) group associated with HoneyMyte, also known as Mustang Panda or Bronze President, has been observed deploying a new kernel-mode rootkit to stealthily hide its ToneShell backdoor operations.
Security researchers report that this campaign is focused on long-term cyber-espionage, rather than financial gain, and has primarily targeted government networks across Southeast and East Asia, with Myanmar and Thailand suffering the most significant impact.
Attack Overview: Signed Driver as the Entry Point
The attack begins on already compromised Windows systems, where attackers drop a malicious kernel driver named:
ProjectConfiguration.sys
This driver is loaded as a Windows mini-filter driver, granting it deep access to system operations. To avoid raising suspicion, the driver is digitally signed using a stolen but valid certificate originally issued to Guangzhou Kingteller Technology Co., Ltd.
Although the certificate is outdated, it is still sufficient to make the driver appear legitimate to Windows and some endpoint security products, allowing it to load without triggering immediate alerts.
More Than a Loader: Full Rootkit Capabilities
According to researchers at Securelist, the malicious driver does far more than simply load the ToneShell backdoor. It functions as a full-fledged kernel rootkit, designed to protect the entire attack toolset from detection and removal.
The campaign was linked to earlier HoneyMyte operations based on the presence of additional known tools on victim systems, including:
-
ToneDisk USB-propagating worm
-
PlugX remote access trojan
-
Older variants of ToneShell
Kernel-Level Stealth Techniques
Once loaded, the rootkit performs several stealth operations:
-
Injects the ToneShell backdoor into a high-privilege
svchost.exeprocess -
Hides both the driver file and the malicious process from system listings
-
Hooks file system and registry operations so any attempt to delete, rename, or modify the driver or its service keys returns
STATUS_ACCESS_DENIEDat the kernel level -
Alters the Microsoft Defender
WdFilteraltitude, placing its own filter deeper in the driver stack, allowing it to intercept and block security operations before Defender or other tools can act
These techniques effectively neutralize many endpoint detection and response (EDR) mechanisms.
Rootkit-Driven Infection Workflow
The malicious driver embeds two shellcodes within its .data section:
1. Process Creation Shellcode
-
Creates a new
svchost.exeinstance -
Writes the process ID to disk
-
Sets up shared event names and file paths for coordination
2. ToneShell Injection Shellcode
-
Injects the ToneShell backdoor into the newly created process
-
Adds the process to a protected process list, preventing other applications from obtaining handles to it
This ensures that the backdoor remains both persistent and inaccessible to security tools.
Command-and-Control Communication
Once active, ToneShell communicates with its command-and-control (C2) servers using:
-
Raw TCP connections over port 443
-
Fake TLS 1.3-like headers
-
XOR-encrypted payloads
This approach allows the malware traffic to blend in with legitimate HTTPS activity while avoiding full TLS implementations that could expose it to inspection.
No comments:
Post a Comment