Tonto Team, a China-aligned threat actor, has been observed using anti-malware product related files to carry out attacks. The threat group is targeting construction, education, diplomatic, and political institutions in South Korea, and distributing the Bisonal malware.
What’s the attack methodology?
In November 2022, the Bisonal malware was spotted spreading in the wild in a Microsoft Compiled HTML Help (CHM) file. That is when it was first associated with the Tonto Team. Recently ASEC released a report on a new attack.
The recent attack begins with a Microsoft Compiled HTML Help (CHM) file running a binary to side-load a DLL (slc[.]dll).
It launches an open-source VBScript backdoor (ReVBShell), known to be used by another Chinese actor Tick.
Subsequently, the ReVBShell downloads a second executable, a genuine Avast software configuration file to side-load a second rogue DLL, leading to the deployment of Bisonal.
But, who’s Tonto Team?
Tonto Team, active since 2009, is known for targeting different sectors across Asia and Eastern Europe.
Tonto Team has been involved in the propagation of the CHM malware in Korea since 2021. Further, the threat group has been changing its methods in different ways to bypass detection.
In all the attacks, the steps until the ReVBShell file is used to receive the attackers’ commands remain the same. However, the later stages have been gradually changing, including the malware type that is downloaded.
Tonto Team has carried out two attacks on cybersecurity firm Group-IB, in June 2022 and March 2021. It used phishing emails laden with Office documents deploying Bisonal.
Stay safe
The Tonto Team is continuously evolving its tactics to stay under the radar. The users must check the senders of emails and refrain from opening files from unknown sources. For additional protection, make sure to update the OS and software with the latest security patches.