The superior persistent menace (APT) actor generally known as Tonto Team carried out an unsuccessful assault on cybersecurity firm Group-IB in June 2022.
The Singapore-headquartered agency stated that it detected and blocked malicious phishing emails originating from the group focusing on its staff. It’s additionally the second assault aimed toward Group-IB, the primary of which came about in March 2021.
Tonto Team, additionally referred to as Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, is a suspected Chinese hacking group that has been linked to assaults focusing on a variety of organizations in Asia and Eastern Europe.
The actor is understood to be energetic since no less than 2009 and is claimed to share ties to the Third Department (3PLA) of the People’s Liberation Army’s Shenyang TRB (Unit 65016).
Attack chains contain spear-phishing lures containing malicious attachments created utilizing the Royal Road Rich Text Format (RTF) exploitation toolkit to drop backdoors like Bisonal, Dexbia, and ShadowPad (aka PoisonPlug).
“A barely completely different technique […] utilized by this menace actor within the wild is the usage of authentic company e mail addresses, probably obtained by phishing, to ship emails to different customers,” Trend Micro disclosed in 2020. “The use of those authentic emails will increase the probabilities of the victims clicking on the attachment, infecting their machines with malware.”
The adversarial collective, in March 2021, additionally emerged as one of many menace actors to use the ProxyLogon flaws in Microsoft Exchange Server to strike cybersecurity and procuring firms primarily based in Eastern Europe.
Coinciding with Russia’s army invasion of Ukraine final yr, the Tonto Team was noticed focusing on Russian scientific and technical enterprises and authorities businesses with the Bisonal malware.
The tried assault on Group-IB isn’t any completely different in that the menace actor leveraged phishing emails to distribute malicious Microsoft Office paperwork created with the Royal Road weaponizer to deploy Bisonal.
“This malware supplies distant entry to an contaminated laptop and permits an attacker to execute numerous instructions on it,” researchers Anastasia Tikhonova and Dmitry Kupin stated in a report shared with The Hacker News.
Also employed is a beforehand undocumented downloader known as QuickMute by the Computer Emergency Response Team of Ukraine (CERT-UA), which is primarily chargeable for retrieving next-stage malware from a distant server.
“The important targets of Chinese APTs are espionage and mental property theft,” the researchers stated. “Undoubtedly, Tonto Team will hold probing IT and cybersecurity firms by leveraging spear-phishing to ship malicious paperwork utilizing vulnerabilities with decoys specifically ready for this goal.”