cyber security company Group IB revealed that emails with malicious attachments were successfully detected and blocked by Tonto Team in June 2022.
In an advisory released today, the company disclosed that threat actors used phishing emails to target malicious Microsoft Office documents created by Royal Road Weaponizer, a tool Group-IB associated with Chinese national threat actors. I explained that I delivered the document.
“During the attack, Group-IB researchers noticed the use of the Bisonal.DoubleT backdoor. […]is a proprietary tool developed by the Tonto team APT,” read a technical article by Anastasia Tikhonova, Head of Advanced Persistent Threat (APT) Research at Group-IB and Dmitry Kupin, Senior Malware Analyst.
According to researchers, tonto team has targeted companies in the government, military, energy, finance, education, healthcare, and technology sectors since 2009.
“Initially, we focused on the Asia-Pacific region (South Korea, Japan, Taiwan) and the United States, but by 2020 the group expanded its activities to Eastern Europe,” write Tikhonova and Kupin.
Regarding the June 2022 attack on Group-IB, the company said the malicious files attached to the emails it received were decoy Rich Text Format (RTF) files containing encoded malicious payloads. I was.
“The decrypted payload was a malicious EXE file. […] This can be classified as the Bisonal.DoubleT backdoor. This malware provides remote access to infected computers and allows attackers to execute various commands on them,” he explained Group-IB.
These include gathering information about compromised hosts, getting a list of processes, killing a particular process, gaining remote access to a command shell, downloading and executing files from a control server, Includes creating files to disk. .
Cybersecurity researchers also performed a dynamic side-by-side analysis of samples taken in 2022 with other samples of the Bisonal.DoubleT malware family and found some similarities.
During the investigation, Group-IB reviewed its entire Group-IB Managed XDR database of neutralized malicious emails and discovered that in the summer of 2021, the Tonto team targeted Group-IB employees. He stated that the June 2022 attempt is for the company.
“Chinese APT’s main purpose is espionage and intellectual property theft,” said Group-IB. Recommendation“Undoubtedly, the Tonto Team has used spear phishing to target IT and cybersecurity companies by delivering malicious documents using vulnerabilities with decoys specially prepared for this purpose. continue to investigate.”
A Chinese threat actor was also recently spotted by Palo Alto Networks Targeting the Iranian government.
