Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs

What’s new: Mustang Panda, a China-aligned threat actor, has deployed a new USB worm named SnakeDisk, which is geofenced to execute only on devices with Thailand-based IP addresses. This worm delivers the Yokai backdoor, which establishes a reverse shell for executing commands. The updated TONESHELL backdoor is also being utilized, with new variants supporting proxy communication and evasion techniques.

Who’s affected

Organizations and individuals in Thailand are primarily targeted by this malware, particularly those using USB devices that may inadvertently execute the SnakeDisk worm.

What to do

• Implement strict USB device policies to prevent unauthorized devices from connecting to networks.
• Monitor network traffic for unusual connections, especially from devices geolocated to Thailand.
• Educate users about the risks of connecting unknown USB devices and executing unknown files.

Sources

• The Hacker News