HQ/EMEAFind out how we can help your business
The notorious China-backed malicious threat group, the Tonto Team, has been utilising anti-malware product-related archives to execute their cybercriminal operation. Based on reports, the threat actors target different South Korean entities in their current operations.
The confirmed sectors that are the subject of the current attacks are education, diplomatic, construction, and political institutions. The researchers have noticed that the group has been spreading the Bisonal malware in their attacks.
The Tonto Team has recently spread the Bisonal malware through the CHM file.
Last year, the Tonto Team distributed the Bisonal malware to their targets via Microsoft Compiled HTML Help (CHM) file. The incident is the first significant attack that the Tonto Team executed aside from the current abuse of anti-malware files.
On the other hand, the latest attack starts with an MS Compiled HTML Help file that operates a binary to sideload a DLL. Subsequently, the method deploys an open-source VBScript backdoor, a notorious weapon of another Chinese threat group.
The ReVBShell will then download a second executable, an Avast software configuration file, to sideload a second rogue DLL that results in the launching of Bisonal malware.
This China-affiliated threat has been active for more than a decade ago. Tonto Team is well-known for targeting different industries in Asia and Europe. They have also participated in the propagation of CHM malware in Korea.
Furthermore, the threat group has been altering its attack tactics to bypass security detections. Its malware has utilised the ReVBShell file to recover its commands in its recent attacks. However, the last phase of these campaigns has been changing recently. The first change the researchers noticed is that the threat group downloaded other malware strains.
Tonto Team has completed a couple of attacks from June last year and March 2021. The group used phishing emails that contained Office documents laden with Bisonal malware.
This Chinese threat group have upgraded its TTPs over the years. Cybersecurity experts suggest that users review the senders of unwanted emails and avoid accessing files from unknown sources. This behaviour will help to mitigate such attempts from threat groups like Tonto Team.
