Cybersecurity firm Group-IB successfully defended against a targeted attack by the Chinese state-sponsored Tonto Team, one of the world's most advanced persistent threat (APT) actors. Despite Tonto Team being known for its sophisticated techniques and ability to evade detection, Group-IB was able to detect and block the attack before any damage could be done.
According to a blog post by Group-IB, the company detected and blocked malicious phishing emails originating from Tonto Team that were targeting its employees. The attack took place in June 2022 and was the second attack aimed at Group-IB, the first of which took place in March 2021.
Group-IB describes Tonto Team:
"Tonto Team (aka HeartBeat, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut) is a cyber espionage threat actor that is believed to originate from China. The threat actor has been targeting government, military, energy, financial, educational, healthcare, and technology sector companies since 2009. Initially focusing on Asia Pacific (South Korea, Japan, Taiwan), and the United States, by 2020, the group had expanded its operations to Eastern Europe."
The group is known for using spear-phishing lures containing malicious attachments created using the Royal Road Rich Text Format (RTF) exploitation toolkit to drop backdoors such as Bisonal, Dexbia, and ShadowPad (aka PoisonPlug). The group has also been observed using legitimate corporate email addresses, obtained through phishing, to send emails to other users.
Here are some of the key findings from Group-IB:
- "In June 2022, the Group-IB Managed XDR solution detected and blocked an attempt to deliver a malicious email to Group-IB's employees."
- "The attackers used phishing emails to deliver malicious Microsoft Office documents created with the Royal Road Weaponizer, a tool widely used by Chinese nation-state threat actors."
- "During the attack, Group-IB researchers noticed the use of the Bisonal.DoubleT backdoor. Bisonal.DoubleT is a unique tool developed by the Tonto Team APT."
- "The attackers used a new downloader that Group-IB analysts named TontoTeam.Downloader (aka QuickMute)."
Bisonal.DoubleT provides remote access to an infected computer and allows an attacker to execute various commands on it, including collecting information about the compromised host, getting a list of processes, stopping a particular process, getting remote access to a command shell, downloading a file from the control server and running it, and creating a file on a disk using the local language encoding.
Group-IB was able to detect and block the attack by conducting a dynamic comparison analysis of the sample obtained in the attack with other samples in the Bisonal.DoubleT malware family and by reviewing its whole Group-IB Managed XDR database of neutralized malicious mailings.
The cybersecurity firm discusses the failed Tonto Team attack:
"The main goal of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose.
Successful supply chain attacks against IT and cybersecurity companies give attackers access to a large number of victims' customers and partners. Therefore, organizations in these sectors need to stay up to date with ever-evolving tools, tactics, and methods of threat actors and employ Group-IB Managed XDR for advanced threat detection and response. This solution proved its efficiency in preventing the alleged Tonto Team attack on the Group-IB's employees."
Tonto Team will likely continue to target IT and cybersecurity companies through spear-phishing and the delivery of malicious documents using vulnerabilities and decoys. However, companies like Group-IB are staying ahead of these threats by implementing effective cybersecurity measures and keeping up-to-date with the latest tactics used by APT actors.
Subscribe to SecureWorld News for more stories related to cybersecurity.