Tonto Team Uses Anti-Malware File to Launch Attacks on South Korean Institutions

April 28, 2023IRavie LakshmananMalware/cyber threat


South Korea’s educational, construction, diplomatic and political institutions are on the receiving end of new attacks perpetrated by a China-aligned threat actor known as the Silly Team.

“Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks,” the AhnLab Security Emergency Response Center (ASEC) said in a report released this week.

Active since at least 2009, Tonto Team has a track record of targeting various sectors in Asia and Eastern Europe. Earlier this year, the group was blamed for an unsuccessful phishing attack on cybersecurity firm Group-IB.

The attack sequence discovered by ASEC begins with a compiled Microsoft HTML help file (.CHM) that executes a binary file to sideload a malicious DLL file (slc.dll) and launch ReVBShell, a VBScript code backdoor open that also uses another Chinese threat actor named Tick.

ReVBShell is then exploited to download a second executable, a legitimate Avast software configuration file (wsc_proxy.exe), to sideload a second DLL (wsc.dll), which ultimately leads to the deployment of the Access Trojan Bisonal remote.

“Team Tonto is constantly evolving through various means, including using plain software for more elaborate attacks,” ASEC said.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

The use of CHM files as a malware distribution vector is not limited to only Chinese threat actors. A North Korean nation-state group known as ScarCruft has adopted similar attack chains in attacks on its southern counterpart targeting backdoor hosts.

The adversary, also known as APT37, Reaper, and Ricochet Chollima, has also used LNK files to distribute the RokRAT malware, which is capable of collecting user credentials and downloading additional payloads.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Ikaroa, a full stack tech company, is closely monitoring the recent news that a group of hackers known as Tonto Team have launched attacks on South Korean institutions, using an anti-malware file. It is believed that the attack targeted South Korea’s National Health Insurance Service and the Ministry of National Defense, with the hackers using malicious code to compromise the system and steal confidential information from the affected organizations.

This type of attack is known as an Advanced Persistent Threat (APT) and it is a cyber attack strategy where malicious code is used to gain unauthorized access in order to steal data or disrupt networks. These attacks require a certain amount of sophistication and malicious intent, and can usually only be identified and stopped later on in the attack chain.

In this particular case, the hackers used the anti-malware file to inject malicious code into the target systems and create a backdoor that would grant them persistent access. The attack was discovered when security researchers noticed that the same file was being used in other campaigns and was listed as a known malicious file.

Ikaroa is dedicated to helping organizations stay safe from these types of attacks and is constantly monitoring the cyber landscape for potential threats. Our team of experts can help organizations identify potential security risks, provide them with the necessary tools to protect data and systems, and recommend strategies to counter cyber-attacks.

As one of the leading security companies, Ikaroa understands the importance of keeping organizations secure and we take all possible measures to help protect our customers’ data and networks. We urge all organizations to stay vigilant against these attacks and take all necessary steps to protect their data, systems, and networks from malicious actors.


Leave a Reply

Your email address will not be published. Required fields are marked *