06/14/2023 | News release | Distributed by Public on 06/14/2023 04:57
If all conditions are fulfilled, it will begin the installation procedure and drop several files. These files are embedded in the dropper and are decrypted with XOR keys.
Dropped fIle | XOR key |
C:\users\public\update.pdf | update_key |
C:\users\public\last.pdf | last_key |
C:\users\public\waveedit.dll | waveedit_key |
C:\users\public\WaveeditNero.exe | WaveeditNero_key |
Table 2. The dropped files and the XOR keys used to decrypt them
After being dropped, WaveeditNero.exe will sideload waveedit.dll and decrypt the other two fake PDF files:
TONEDROP will set up a scheduled task for the process C:\users\public\documents\WinDbg(X64).exe, which will sideload C:\users\public\documents\libvlc.dll. Next, it will construct the malicious payload and run it in memory by calling the API EnumDisplayMonitors, which has a callback function.
The C&C protocol of TONESHELL variant D
We discovered a new variant of TONESHELL that has a command-and-control (C&C) protocol request packet format as follows:
Field name | Size | Data |
magic | 0x3 | 17 03 03 |
size | 0x2 | The payload size |
payload | size | Payload |
Table 3. Contents of the sent data after encryption
The C&C protocol is similar to the ones used by PUBLOAD and other TONESHELL variants. We classified it as TONESHELL variant D because it also uses CoCreateGuid to generate a unique victim ID, which is akin to the older variants.
In the first handshake, the payload should be a 0x221-byte-long buffer carrying the encryption key and the unique victim ID. Table 4 shows the structure of the payload. Note that the fields type, victim_id, and xor_key_seed are encrypted with xor_key before the buffer is sent.
FIeld name | Size (hex) | Description |
xor_key | 0x200 | Key used to encrypt the traffic; this key is generated from xor_key_seed |
type | 0x1 | 0x08, a fixed value |
victim_id | 0x10 | A unique victim ID generated by CoCreateGuid |
xor_key_seed | 0x10 | A random seed generated by GetTickCount |
Table 4. Content of the sent data
We found that the malware saves the value of the victim_id to the file %USERPROFILE%\AppData\Roaming\Microsoft\Web.Facebook.config.