However, the APT group has failed to cause any harm to the Singapore-based cybersecurity giant.
An advanced persistent threat (APT) group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This attempt has also failed. The attack occurred in June 2022, whereas the first one occurred in March 2021.
Incident Details
According to Group-IB, they detected and blocked malicious phishing emails that targeted their employees. Group-IB’s team detected malicious activity on June 20, 2022, and its XDR solution triggered an alert after blocking the emails sent to two of its employees.
Further investigation revealed that the Tonto Team threat actors posed as an employee from a legitimate firm and used a fake email created with a free email service called GMX Mail. The phishing emails were the initial phase of the attack. Attackers used them to deliver malicious MS Office documents created using the Royal Road Weaponizer.
Moreover, the actors used their own developed Bisonal.DoubleT backdoor, along with a new downloader that Group-IB researchers named TontoTeam.Downloader (aka QuickMute).
How Did the Attack Occur?
Attackers created a Rich Text Format (RTF) file with the Royal RTF Weaponizer. It is worth noting that this weaponizer is mainly used by Chinese APT (Advanced Persistent Threat) groups.
The file allowed attackers to create malicious RTF exploits with decoy content for Microsoft Equation Editor vulnerabilities tracked as CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. The decrypted payload, a malicious PE32 format EXE file, could be classified as a Bisonal DoubleT backdoor.
Bisonal. Backdoor FunctionalitiesDoubleT
Static analysis of the Bisonal.DoubleT sample was conducted and compared with its old version discovered in 2020. Similar strings were identified, and researchers also detected traces of a C2 server communication.
Additionally, they conducted a dynamic comparison analysis of the sample from 2022 and other samples of the same malware family. Researchers concluded that this backdoor could collect information about the compromised host, such as the proxy server address, system language encoding, the account name for the file currently running, hostname, time since system boot, and local IP address.
It encourages remote access to a compromised device, and the attacker can easily execute various commands. It can stop a specified process, obtain a list of processes, download files from the control server and run them, and create a file on the disk using the local language encoding.
Tracking the Tonto Team
The Tonto Team is also referred to as Karma Panda, HeartBeatm, Bronze Huntley, CactusPete, and Earth Akhlut. It is a cyberespionage group, possibly from China.
This APT group has mainly targeted military, government, finance, energy, education, technology, and healthcare organizations since 2009. Initially, it targeted companies in South Korea, Taiwan, and Japan and later expanded its operations to the USA.
The group frequently used spear-phishing attacks and delivered malicious attachments created using the RTF exploitation toolkit to drop backdoors, such as ShadowPad, Dexbia, and Bisonal.