The advanced persistent threat (APT) actor known as Tonto Team carried out an unsuccessful attack on cybersecurity company Group-IB in June 2022.
The Singapore-headquartered firm said that it detected and blocked malicious phishing emails originating from the group targeting its employees. It’s also the second attack aimed at Group-IB, the first of which took place in March 2021.
Tonto Team, also called Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, is a suspected Chinese hacking group that has been linked to attacks targeting a wide range of organizations in Asia and Eastern Europe.
The actor is known to be active since at least 2009 and is said to share ties to the Third Department (3PLA) of the People’s Liberation Army’s Shenyang TRB (Unit 65016).
Attack chains involve spear-phishing lures containing malicious attachments created using the Royal Road Rich Text Format (RTF) exploitation toolkit to drop backdoors like Bisonal, Dexbia, and ShadowPad (aka PoisonPlug).
“A slightly different method […] used by this threat actor in the wild is the use of legitimate corporate email addresses, most likely obtained by phishing, to send emails to other users,” Trend Micro disclosed in 2020. “The use of these legitimate emails increases the chances of the victims clicking on the attachment, infecting their machines with malware.”
The adversarial collective, in March 2021, also emerged as one of the threat actors to exploit the ProxyLogon flaws in Microsoft Exchange Server to strike cybersecurity and procuring companies based in Eastern Europe.
Coinciding with Russia’s military invasion of Ukraine last year, the Tonto Team was observed targeting Russian scientific and technical enterprises and government agencies with the Bisonal malware.
The attempted attack on Group-IB is no different in that the threat actor leveraged phishing emails to distribute malicious Microsoft Office documents created with the Royal Road weaponizer to deploy Bisonal.
“This malware provides remote access to an infected computer and allows an attacker to execute various commands on it,” researchers Anastasia Tikhonova and Dmitry Kupin said in a report shared with The Hacker News.
Also employed is a previously undocumented downloader referred to as QuickMute by the Computer Emergency Response Team of Ukraine (CERT-UA), which is primarily responsible for retrieving next-stage malware from a remote server.
“The main goals of Chinese APTs are espionage and intellectual property theft,” the researchers said. “Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear-phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose.”
