A Chinese-linked threat group, identified as HoneyMyte, Mustang Panda, or Bronze President, is employing a sophisticated new kernel rootkit to conceal its ToneShell backdoor. This advanced malware campaign has predominantly targeted government networks across Southeast and East Asia, with a significant impact observed in Myanmar and Thailand. The primary objective of this operation appears to be long-term espionage rather than immediate financial gain.
The attack chain commences with the deployment of a malicious driver, disguised as “ProjectConfiguration.sys.” This driver is introduced onto already compromised Windows systems and loaded as a mini-filter driver. To enhance its credibility with the operating system and certain security tools, the driver is signed using an old, stolen certificate belonging to Guangzhou Kingteller Technology Co., Ltd. Researchers from Securelist have detailed how this driver not only facilitates the loading of the ToneShell backdoor but also actively shields the entire toolkit from detection by security scans.
The researchers have linked this ongoing campaign to previous HoneyMyte activities. This association is based on the frequent co-occurrence of other tools attributed to the group within victim environments. These often include the ToneDisk USB worm, PlugX, and earlier versions of the ToneShell backdoor, suggesting a persistent and evolving threat actor.
Rootkit-Driven Infection and Stealth
Once initiated, the malicious driver clandestinely injects the ToneShell backdoor into a high-privilege svchost.exe process. Following the injection, the driver proceeds to mask both its own presence and the newly created ToneShell process. This is achieved by hooking critical file and registry operations. Consequently, any attempts to delete or rename the driver, or to alter its associated service keys, are met with a STATUS_ACCESS_DENIED response at the kernel level, effectively thwarting manual intervention.
Furthermore, the rootkit actively manipulates the Microsoft Defender’s WdFilter altitude. By positioning its own filter driver at a deeper level within the system’s security stack, it gains the capability to observe and intercept operations before they are processed by numerous other security engines. This strategically advantageous placement significantly hinders the detection capabilities of standard security software.
The drivers contain two distinct shellcodes embedded within their .data section. The first shellcode is responsible for establishing a new instance of svchost.exe. It subsequently writes the process ID of this new instance to disk and prepares shared event names and file paths that will be used by the ToneShell backdoor. The second shellcode represents the ToneShell backdoor itself. This backdoor is then injected into the aforementioned svchost.exe process and meticulously added to a protected process list. This designation ensures that other security tools are unable to obtain a handle to the clandestine process, further enhancing its stealth.
Upon successful execution, ToneShell communicates with its command-and-control (C2) servers. This communication occurs over raw TCP, utilizing port 443. To obfuscate its traffic, the backdoor imitates a TLS 1.3 record. This imitation involves a simple header followed by an XOR-encrypted payload, making it challenging for network security devices to identify and flag the malicious communications.
The sophisticated nature of this attack, particularly the implementation of a kernel-level rootkit for stealth, signifies a notable escalation in the HoneyMyte group’s operational capabilities. This development underscores the growing importance of robust memory forensics and rootkit-aware detection mechanisms for safeguarding high-value government networks against such advanced persistent threats.
The ongoing evolution of HoneyMyte’s techniques suggests a continued focus on leveraging deep system access for espionage. Organizations targeted by this group, particularly in the affected regions, will need to prioritize enhanced endpoint detection and response (EDR) solutions and regular security audits that specifically address kernel-level threats. The attribution to a Chinese-linked threat group indicates a potential state-sponsored intelligence gathering operation, which often implies long-term objectives and significant resources dedicated to maintaining access and evading detection.