Tonto Team Exploits Anti-Malware File to Attack South Korean Institutions

April 28, 2023
Malware / Cyber Threat

Recent attacks by the China-aligned threat actor known as the Tonto Team have targeted South Korean education, construction, diplomatic, and political institutions. The AhnLab Security Emergency Response Center (ASEC) reported that the group is utilizing a file associated with anti-malware products to carry out their malicious activities. Active since at least 2009, Tonto Team has a history of attacks across various sectors in Asia and Eastern Europe. Earlier this year, they were linked to an unsuccessful phishing attempt on the cybersecurity firm Group-IB. According to ASEC, the attack begins with a Microsoft Compiled HTML Help (.CHM) file that runs a binary to side-load a malicious DLL (slc.dll) and deploy the ReVBShell backdoor, an open-source VBScript tool also used by another Chinese threat actor, Tick.

Emerging Cyber Attacks: Tonto Team Targets South Korean Institutions with Unusual Tactics

April 28, 2023

In a notable escalation of cyber threats, South Korean institutions across several critical sectors—namely education, construction, diplomacy, and politics—are facing fresh attacks attributed to a China-aligned threat group known as the Tonto Team. A report released this week by the AhnLab Security Emergency Response Center (ASEC) highlights that this group has employed a novel strategy involving the use of anti-malware-related files to execute their malicious activities.

Operating since at least 2009, the Tonto Team has a history of targeting diverse sectors throughout Asia and Eastern Europe. Most recently, the group was linked to an unsuccessful phishing attempt against the cybersecurity firm Group-IB earlier this year. This latest onslaught leverages a Microsoft Compiled HTML Help (.CHM) file that initiates a binary execution process to load a harmful dynamic link library (DLL) file, specifically identified as slc.dll. This malicious code subsequently deploys ReVBShell, an open-source VBScript backdoor that has also been utilized by another Chinese cyber adversary, Tick.

The methodical nature of these attacks points towards a sophisticated understanding of both the target environment and the tools available for exploitation. Initial access, a crucial stage in the cyber attack lifecycle, is achieved through the seemingly innocuous CHM file, which serves as a delivery mechanism for the subsequent payload. The use of side-loading to introduce the malicious DLL illustrates a potential persistence tactic, allowing attackers to maintain a foothold within compromised systems.

As the situation unfolds, vulnerability within South Korean institutions raises pertinent questions about the adequacy of existing cybersecurity measures. Notably, the use of benign-looking files to obfuscate the true nature of the attack echoes broader trends within the realm of cyber threats, which often exploit user trust and the complexities of software environments.

Exploration of the MITRE ATT&CK framework reveals additional contextual insights into the tactics and techniques potentially employed in these attacks. Beyond initial access and persistence, the Tonto Team’s methods may incorporate privilege escalation strategies, allowing them to gain enhanced access to sensitive systems once they establish a presence within the network. This reflects a calculated approach to not only breach defenses but also fortify their hold on targeted environments.

In the face of such threats, business leaders in South Korea must reassess their defensive strategies and cultivate a culture of cybersecurity awareness among their teams. As attacks become increasingly sophisticated, the imperative to stay informed and prepared can no longer be understated. Understanding the specific tactics used by threat actors like the Tonto Team is essential for developing robust defense mechanisms that can safeguard institutions against future incursions.

With the landscape of cyber threats continuously evolving, proactive measures alongside keen vigilance remain paramount in mitigating risks associated with cyber attacks.

Source link

Related Posts

Large-Scale Campaign Exploits Kubernetes RBAC for Cryptocurrency Mining

In a recently uncovered attack campaign, Kubernetes (K8s) Role-Based Access Control (RBAC) vulnerabilities have been exploited to establish backdoors and deploy cryptocurrency miners. Cloud security firm Aqua reported that attackers utilized DaemonSets to commandeer resources within targeted K8s clusters. Dubbed “RBAC Buster,” the campaign has reportedly infiltrated 60 unprotected K8s clusters. The attack began with the exploitation of a misconfigured API server, followed by a search for competing miner malware, and the establishment of persistence through RBAC adjustments. Aqua noted that the attacker created a new ClusterRole with almost admin-level permissions and set up a ‘ServiceAccount’ named ‘kube-controller’ in the ‘kube-system’ namespace.

Paperbug Exploit: New Politically-Driven Surveillance Initiative in Tajikistan

On April 27, 2023, a relatively obscure Russian-speaking cyber-espionage group has been identified as the orchestrator of a new politically motivated surveillance initiative targeting senior government officials, telecom services, and public infrastructure in Tajikistan. The operation, named Paperbug by the Swiss cybersecurity firm PRODAFT, has been linked to a threat actor known as Nomadic Octopus (also referred to as DustSquad). According to PRODAFT’s comprehensive technical report shared with The Hacker News, “The types of compromised machines range from individual computers to operational technology devices. These targets render ‘Operation Paperbug’ intelligence-driven.” While the ultimate motives behind the attacks are still uncertain, the cybersecurity firm has suggested the possibility of involvement from domestic opposition groups or an intelligence-gathering effort conducted by Russia or China. Nomadic Octopus first gained attention in October 2018.

Meta Exposes Extensive Cyber Espionage Campaigns on Social Media in South Asia

May 04, 2023
Social Media / Cyber Risk

Three distinct threat actors exploited countless elaborate fake profiles on Facebook and Instagram to conduct targeted attacks against individuals in South Asia. “These advanced persistent threats (APTs) relied heavily on social engineering tactics to deceive users into clicking malicious links, downloading malware, or sharing sensitive information online,” stated Guy Rosen, Meta’s chief information security officer. “This focus on social engineering reduced their need to invest heavily in malware development.” The counterfeit accounts utilized traditional tactics, pretending to be romantic interests, recruiters, journalists, or military personnel. Notably, two cyber espionage initiatives involved low-sophistication malware, likely attempting to evade app verification measures from Apple and Google. Meta’s findings revealed…

U.S. Government Dismantles Russia’s Advanced Snake Cyber Espionage Tool

May 10, 2023
Cyber Espionage / Cyber Attack

On Tuesday, the U.S. government announced the successful court-authorized disruption of a global network compromised by an advanced malware strain known as Snake, utilized by Russia’s Federal Security Service (FSB). Referred to as the “most sophisticated cyber espionage tool,” Snake is attributed to the Russian state-sponsored group Turla (also known as Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), connected to a unit within Center 16 of the FSB. This threat actor has historically targeted entities in Europe, the Commonwealth of Independent States (CIS), and NATO-affiliated countries, with recent efforts expanding into Middle Eastern nations viewed as threats to Russian-supported interests in the region. “For nearly 20 years, this unit […] has leveraged versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries…”