Chinese Tonto Team Hackers’ Second Attempt to Target Cybersecurity Firm Group-IB Fails

Feb 13, 2023Ravie LakshmananCyber Threat Intelligence

The advanced persistent threat (APT) actor known as
Tonto Team carried out an unsuccessful attack on
cybersecurity company Group-IB in June 2022.

The Singapore-headquartered firm said ^[1] that it detected and
blocked malicious phishing emails originating from the group
targeting its employees. It’s also the second attack aimed at
Group-IB, the first of which took place in March 2021.

Tonto Team, also called Bronze Huntley, Cactus Pete ^[2], Earth Akhlut, Karma
Panda, and UAC-0018, is a suspected Chinese hacking group that has
been linked to attacks targeting a wide range of organizations in
Asia and Eastern Europe.

The actor is known to be active since at least 2009 and is said
to share ties ^[3]
to the Third Department (3PLA ^[4]) of the People’s
Liberation Army’s Shenyang TRB (Unit 65016 ^[5]).

Attack chains involve spear-phishing lures containing malicious
attachments created using the Royal Road Rich Text Format (RTF)
exploitation toolkit to drop backdoors like Bisonal, Dexbia, and
ShadowPad ^[6]
(aka PoisonPlug).

“A slightly different method […] used by this threat actor in
the wild is the use of legitimate corporate email addresses, most
likely obtained by phishing, to send emails to other users,” Trend
Micro disclosed ^[7]
in 2020. “The use of these legitimate emails increases the chances
of the victims clicking on the attachment, infecting their machines
with malware.”

The adversarial collective, in March 2021, also emerged as one
of the threat actors to exploit the ProxyLogon flaws ^[8]
in Microsoft Exchange Server to strike cybersecurity and procuring
companies based in Eastern Europe.

Coinciding with Russia’s military invasion of Ukraine last year,
the Tonto Team was observed targeting ^[9]
Russian scientific and technical enterprises and government
agencies with the Bisonal malware.

The attempted attack on Group-IB is no different in that the
threat actor leveraged phishing emails to distribute malicious
Microsoft Office documents created with the Royal Road weaponizer
to deploy Bisonal.

“This malware provides remote access to an infected computer and
allows an attacker to execute various commands on it,” researchers
Anastasia Tikhonova and Dmitry Kupin said in a report shared with
The Hacker News.

Also employed is a previously undocumented downloader referred
to as QuickMute ^[10] by the Computer
Emergency Response Team of Ukraine (CERT-UA), which is primarily
responsible for retrieving next-stage malware from a remote
server.

“The main goals of Chinese APTs are espionage and intellectual
property theft,” the researchers said. “Undoubtedly, Tonto Team
will keep probing IT and cybersecurity companies by leveraging
spear-phishing to deliver malicious documents using vulnerabilities
with decoys specially prepared for this purpose.”

Found this article interesting? Follow us on Twitter ^[11] and LinkedIn ^[12] to read more exclusive
content we post.

References

^{^}
said
(www.group-ib.com)
^{^}
Cactus
Pete (securelist.com)
^{^}
share
ties (www.uscc.gov)
^{^}
3PLA
(en.wikipedia.org)
^{^}
Unit
65016 (www.uscc.gov)
^{^}
ShadowPad
(thehackernews.com)
^{^}
disclosed
(vb2020.vblocalhost.com)
^{^}
ProxyLogon flaws
(thehackernews.com)
^{^}
targeting
(thehackernews.com)
^{^}
QuickMute
(cert.gov.ua)
^{^}
Twitter 
(twitter.com)
^{^}
LinkedIn
(www.linkedin.com)