Cybersecurity company Group-IB has revealed it successfully detected and blocked an email carrying a malicious attachment by Tonto Team in June 2022.
The firm made the disclosure in an advisory published earlier today, where it explained the threat actors used phishing emails to deliver malicious Microsoft Office documents created with the Royal Road Weaponizer, a tool Group-IB associated with Chinese nation-state threat actors.
“During the attack, Group-IB researchers noticed the use of the Bisonal.DoubleT backdoor [...], a unique tool developed by the Tonto Team APT,” reads the technical write-up by Group-IB head of advanced persistent threat (APT) research Anastasia Tikhonova and senior malware analyst Dmitry Kupin.
According to the researchers, Tonto Team has been targeting government, military, energy, financial, educational, healthcare and technology sector companies since 2009.
“Initially focusing on Asia Pacific (South Korea, Japan, Taiwan) and the United States, by 2020, the group had expanded its operations to Eastern Europe,” Tikhonova and Kupin wrote.
As for the June 2022 attack against Group-IB, the company said the malicious file attached to the email received was a decoy Rich Text Format (RTF) that contained an encoded malicious payload.
“The decrypted payload was a malicious EXE file [...] that can be classified as a Bisonal.DoubleT backdoor. This malware provides remote access to an infected computer and allows an attacker to execute various commands on it,” Group-IB explained.
These included collecting information about the compromised host, getting a list of processes, stopping a particular process, getting remote access to a command shell, downloading a file from the control server and running it and creating a file on a disk using the local language encoding.
The cybersecurity researchers had also conducted a dynamic comparison analysis of the sample obtained in 2022 with other samples in the Bisonal.DoubleT malware family and found some similarities.
During the investigation, Group-IB said it reviewed the whole Group-IB Managed XDR database of neutralized malicious mailings and found that in the summer of 2021, Tonto Team targeted Group-IB employees, making the June 2022 attempt the second unsuccessful one against the company.
“The main goals of Chinese APTs are espionage and intellectual property theft,” reads the Group-IB advisory. “Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose.”
Chinese threat actors were also recently spotted by Palo Alto Networks targeting the Iranian government.