In June 2022, the advanced persistent threat (APT) actor Tonto Team attempted to target the cybersecurity firm Group-IB but was unsuccessful. The business, with its headquarters in Singapore, claimed to have identified and stopped emails the group sent to trick its staff. Additionally, it’s the Group-second IB attack; the first one occurred in March 2021.
A suspected Chinese hacker gang known as Tonto Team, known by the names Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, has been connected to attacks against a variety of Asian and Eastern European targets. The actor is reported to have connections to the Third Department (3PLA) of the People’s Liberation Army’s Shenyang TRB and has been active since at least 2009. (Unit 65016).
To drop backdoors like Bisonal, Dexbia, and ShadowPad, attack chains use spear-phishing enticements with malicious attachments made using the Royal Road Rich Text Format (RTF) exploitation tools (aka PoisonPlug).
In 2020, Trend Micro reported that the threat actor used “a somewhat different mechanism utilized by this threat actor in the field” to send emails to other users. These valid corporate email addresses were most likely obtained through phishing. The use of these trustworthy emails raises the risk that victims may open the attachment and let malware onto their computers.
Phishing Emails Disseminate Malicious Microsoft Office Documents
The antagonistic collective was one of the threat actors who used the Microsoft Exchange Server ProxyLogon vulnerability in March 2021 to attack Eastern European-based cybersecurity and procurement firms.
Last year, the Chinese Tonto Team was seen using the Bisonal virus to target Russian government organizations and scientific and technological companies, coinciding with Russia’s military invasion of Ukraine.
In the attempted attack on Group-IB, the threat actor used phishing emails to disseminate malicious Microsoft Office documents made with the Royal Road weaponized in order to deploy Bisonal.
Researchers Anastasia Tikhonova and Dmitry Kupin stated in a study shared with The Hacker News that the malware “provides remote access to an infected machine and allows an attacker to execute numerous commands on it.”
Ukraine’s Computer Crisis Response Group (CERT-UA) also uses a previously unknown downloader known as QuickMute, which is mainly in charge of obtaining advanced malware from a remote server.
The experts claimed that espionage and intellectual property theft are the primary objectives of Chinese APTs. Without a doubt, Tonto Team will continue probing IT and cybersecurity firms by utilizing spear-phishing to transmit infected documents using flaws with decoys explicitly developed for this aim.
Conclusion
In June 2022, the advanced persistent threat (APT) actor Tonto Team attempted to target the cybersecurity firm Group-IB but was unsuccessful. The business, with its headquarters in Singapore, claimed to have identified and stopped emails the group sent to trick its staff. Additionally, it’s the Group-second IB attack; the first one occurred in March 2021.
A suspected Chinese hacker gang known as Tonto Team, known by the names Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, has been connected to attacks against a variety of Asian and Eastern European targets. The actor is reported to have connections to the Third Department (3PLA) of the People’s Liberation Army’s Shenyang TRB and has been active since at least 2009. (Unit 65016). To drop backdoors like Bisonal, Dexbia, and ShadowPad, attack chains use spear-phishing enticements with malicious attachments made using the Royal Road Rich Text Format (RTF) exploitation tools (aka PoisonPlug).
