What’s new: Mustang Panda, a China-aligned threat actor, has deployed a new USB worm named SnakeDisk, which targets devices with Thailand-based IP addresses. This worm drops the Yokai backdoor, allowing attackers to establish a reverse shell for executing commands. The updated TONESHELL backdoor is also being utilized, with variants supporting proxy communication to evade detection.
Who’s affected
Organizations and individuals in Thailand are particularly at risk, as the SnakeDisk worm is geofenced to execute only on public IP addresses located in Thailand. The threat actor has been active since at least 2012 and has a history of targeting various regions in Asia.
What to do
- Implement strict USB device policies to prevent unauthorized devices from connecting to networks.
- Monitor network traffic for unusual connections, especially from devices with Thailand-based IP addresses.
- Educate users about the risks of executing unknown files from USB drives.
- Utilize endpoint protection solutions that can detect and block malicious USB activity.
