TONEDEAF Removal Guide

Do you know what TONEDEAF is?

TONEDEAF is a Trojan infection that is created to collect information about the infected system. It functions as a backdoor, and it usually targets various organizations and institutions. In other words, it is very unlikely that this infection will reach regular users, but if that happens, you should be ready to tackle this intruder.

You can find the manual removal instructions at the bottom of this description. If manual backdoor removal is not something you would like to do on your own, you can always choose to remove TONEDEAF with a reliable security tool.

Although there are a lot of random infections out there that can be really obscure about their origins, we know more than enough about TONEDEAF. This infection is created by the Iranian threat actor APT34. Some researchers also call it a cyber espionage group. The group manages to trick users into downloading and installing TONEDEAFbecause they pose as members of Cambridge University. The name of the university brings familiarity and trust, and thus, it makes it easier to trick users into interacting with the malicious content.

The entire campaign that spreads and distributes TONEDEAF is thought to have been launched on June 2019, although APT34 is said to have been active since 2014. This group is known to use social engineering tricks to lure their victims into downloading dangerous infections. So, using academia or job offer messages to spread Trojans isn’t anything new to them.

In this case, the group is using LinkedIn network invitations to distribute dangerous documents that install TONEDEAF on target computers. The messages that users receive look like a notification from someone who has been working on an MS Excel sheet, and the person is asking to check whether the document is alright. The document is attached in the download link that comes with the message. Needless to say, if users download this document and launch it, they download TONEDEAF on their systems.

In order for this backdoor to settle down on the target system, macros have to be enabled. So, before users open the downloaded ERFT-Details.xls file, they will probably receive a prompt telling them that they have to enable macros (provided they haven’t been enabled before). This is another big red flag because macros are often used to distribute malware. If some file you have recently downloaded literally screams at you that you need to enable macros, there is a good chance that the file is a malware installer.

Once this infection enters the target system, it drops another System.doc file in the %USERPROFILE% directory. Research also shows that later on that file is renamed to System Manager.exe. Aside from dropping additional files, the backdoor also connects to a remote command and control center (C2) behind your back. Through this connection, the infection receives further instructions on what it should do.

For the most part, TONEDEAF is used to spy on the infected system. It can collect information on the system; store the collected data somewhere on the affected computer and, when the time comes, upload the log file to the remote server, giving the sensitive information away to the cybercriminals.

TONEDEAF can also download files and execute shell commands, so it is hard to say what exactly it would do to the target system because the scope of its functions may vary. However, a backdoor infection usually provides access to the compromised system, and since TONEDEAF can download files, it wouldn’t be surprising if, in the long run, this program would infect its victims with other types of malware. Especially, as we know that this threat actor distributes more malicious infections than just this one backdoor.

Hence, the sooner victims remove TONEDEAF from their systems, the better. While it is possible to terminate the infection manually, it is far more efficient to delete it automatically. An automatic malware removal tool would also locate all the malicious files that were dropped by the backdoor, and it would help to remove them all for good.

Please consider educating yourself and your employees or colleagues about potential cybersecurity threats, so that you could avoid TONEDEAF and other dangerous infections in the future. Relying on a licensed security tool alone would not be enough to stop these intruders.

How to Remove TONEDEAF

  1. Press Win+R and the Run prompt will open.
  2. Type %USERPROFILE% into the Open box. Click OK.
  3. Navigate to .templates.
  4. Remove the System.doc and System Manager.exe files.
  5. Delete the ERFT-Details.xls from the Downloads folder.
  6. Use SpyHunter to scan your PC.

In non-techie terms:

TONEDEAF targets various institutions and government organizations with the intention to collect sensitive information. You may need to run a full system scan with a security tool to determine whether you have been infected with this backdoor or not. If you have this infection on-board, remove TONEDEAF at once, and then safeguard your system against similar intruders. You may need to discuss this with your security specialists if the backdoor entered a corporate computer system.