Advanced Persistent Threat (APT) actor known as tonto team carried out an unsuccessful attack against cybersecurity firm Group-IB in June 2022.
The Singapore-based company says it has detected and blocked malicious phishing emails originating from groups targeting its employees. This is also his second attack aimed at his Group-IB, with the first coming in his March 2021.
Tonto Team, also known as Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, is a Chinese hacking group suspected of being linked to attacks targeting various organizations in Asia and Eastern Europe. .
The actor has been known to have been active since at least 2009 and is said to be associated with the 3rd Division (3PLA) of the Chinese People’s Liberation Army’s Shenyang TRB (Unit 65016).
The attack chain included spear phishing lures with malicious attachments crafted using the Royal Road Rich Text Format (RTF) exploit toolkit and backdoors such as Bisonal, Dexbia and ShadowPad (aka PoisonPlug). drop the
“A slightly different way […] What this threat actor actually uses is to send emails to other users using legitimate corporate email addresses, likely obtained through phishing,” Trend Micro revealed in 2020. Clicking on the attachment will infect your machine with malware. “
The adversary group also emerged as one of the threat actors in March 2021 exploiting the ProxyLogon flaw in Microsoft Exchange Server to attack cybersecurity and procurement companies based in Eastern Europe.
Coinciding with Russia’s military invasion of Ukraine last year, the Tonto team was observed targeting Russian tech companies and government agencies with Bisonal malware.
The attempted attack by Group-IB is no different in that the attackers used phishing emails to distribute malicious Microsoft Office documents created with the Royal Road Weaponizer to deploy Bisonal.
“This malware provides remote access to an infected computer and allows attackers to execute various commands on that computer,” researchers Anastasia Tikhonova and Dmitry Kupin told Hacker News. said in a shared report.
It also uses a previously undocumented downloader called QuickMute by the Computer Emergency Response Team of Ukraine (CERT-UA).
“Chinese APTs are primarily aimed at espionage and intellectual property theft,” said the researchers. “Undoubtedly, the Tonto Team used spear phishing to harass IT and cybersecurity companies by delivering malicious documents using vulnerabilities with decoys specially prepared for this purpose. We will continue to investigate.”
