ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool TONEDEAF 2.0

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: TONEDEAF 2.0

NamesTONEDEAF 2.0
CategoryMalware
TypeReconnaissance, Backdoor, Tunneling, Info stealer, Exfiltration
Description(Intezer) At first glance, “Client update.exe” seems like a completely new backdoor malware. However, further examination reveals it’s most likely a highly modified version of the previously seen TONEDEAF backdoor. TONEDEAF is a backdoor that communicates with its Command and Control server via HTTP in order to receive and execute commands. It was mentioned in FireEye’s recent report about an ongoing APT34 operation, as one of the group’s custom tools. We have named the new variant TONEDEAF 2.0.

TONEDEAF 2.0 is an advanced version of TONEDEAF, serving the same purpose as the original, but with a revamped C2 communication protocol and a substantially modified code base. In contrast to the original TONEDEAF, TONEDEAF 2.0 contains solely arbitrary shell execution capabilities, and doesn’t support any predefined commands. It’s also more stealthy and contains new tricks such as dynamic importing, string decoding, and a victim deception method.
Information<https://intezer.com/blog/apt/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

Previous: TONEDEAF
Next: Tonnerre

All groups using tool TONEDEAF 2.0

ChangedNameCountryObserved

APT groups

 OilRig, APT 34, Helix Kitten, ChryseneIran2014-Jan 2021X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key