South Korea’s educational, construction, diplomatic and political institutions are receiving new attacks carried out by a China-aligned threat actor known as Tonto Team.
“Recent cases reveal that the group used files associated with anti-malware products to ultimately execute their malicious attacks,” AhnLab Security Emergency Response Center (ASEC) said in a report published this week.
Tim Tonto, active since at least 2009, has a track record of targeting various sectors in Asia and Eastern Europe. Earlier this year, the group was linked to a failed phishing attack against cybersecurity firm Group-IB.
The attack sequence uncovered by ASEC starts with a Microsoft Compiled HTML Help (.CHM) file that executes a binary file to load a malicious DLL file (slc.dll) and launches ReVBShellthe open source VBScript backdoor is also used by another Chinese threat actor called Tick.
ReVBShell is then utilized to download the second legitimate Avast software executable configuration file (wsc_proxy.exe), to side-load the second rogue DLL (wsc.dll), which ultimately leads to deployment Bisonal remote access trojan.
“The Tonto team continues to develop in various ways such as using ordinary software for more complex attacks,” said ASEC.
The use of CHM files as malware distribution vectors is not limited to Chinese threat actors. A similar attack chain has been adopted by the North Korean nation-state group known as ScarCruft in attack aimed at its southern partner to a backdoor target host.
The enemy, also known as APT37, Reaper, and Ricochet Chollima, also takes advantage LNK files for distributing the RokRAT malwarecapable of collecting user credentials and downloading additional payloads.