Dashboard / Threat Actors / Tonto Team

🇨🇳

Tonto Team

APT Group Information theft and espionage 5 zero-day CVEs ETDA ✓

Also Known As 9 names

BRONZE HUNTLEY COPPER CactusPete Earth Akhlut G0131 KARMA PANDA PLA Unit 65017 Red Beifang TAG-74

Target Countries 9

Countries highlighted in red

Australia Germany India Japan Republic of Korea Mongolia Russian Federation Province of China Taiwan United States

Sectors Targeted

Financial Media Government Management, Scientific, and Technical Consulting Services 5416 Computer Systems Design Services 541512 Defense IT

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 9

ccleaner_backdoor

dexbia

calmthorn

8t_dropper

zhmimikatz

win.shadow_rat

typehash

korlia

quickmute

MITRE ATT&CK 45

T1001 T1003 T1016 T1027 T1033 T1041 T1049 T1056 T1056.001 T1057 T1059 T1059.001 T1059.003 T1059.006 T1068 T1069 T1069.001 T1070.004 T1071 T1071.001 T1072 T1073 T1078.003 T1082 T1090 T1090.002 T1105 T1124 T1135 T1140 T1195 T1203 T1204 T1204.002 T1210 T1218 T1505 T1505.003 T1547 T1566 T1566.001 T1573 T1574 T1574.001 T1614

Related Zero-Days 5

CVE-2018-0802 CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065

Known Names 9 entries

Tonto Team FireEye

HeartBeat Trend Micro

Karma Panda CrowdStrike

CactusPete Kaspersky

Bronze Huntley SecureWorks

Earth Akhlut Trend Micro

LoneRanger ?

TAG-74 Recorded Future

G0131 MITRE

Observed Target Countries 8

Based on ETDA data — countries highlighted in red

India Japan Mongolia Russia South Korea Taiwan USA Eastern Europe

Description

(Trend Micro) The first HeartBeat campaign remote access tool (RAT) component was discovered in June 2012 in a Korean newspaper company network. Further investigation revealed that the campaign has been actively distributing their RAT component to their targets in 2011 and the first half of 2012. Furthermore, we uncovered one malware component that dates back to November 2009. This indicates that the campaign started during that time or earlier. The HeartBeat campaign appears to target government organizations and institutions or communities that are in some way related to the South Korean government. Specifically, we were able to identify the following targets: • Political parties • Media outfits • A national policy research institute • A military branch of South Korean armed forces • A small business sector organization • Branches of South Korean government The profile of their targets suggests that the motive behind the campaign may be politically motivated. (Kaspersky) The actor has quite likely relied on much the same codebase and implant variants for the past six years. However these have broadened substantially since 2018. The group spear-phishes its targets, deploys Word and Equation Editor exploits and an appropriated/repackaged {{DarkHotel}} VBScript zero-day, delivers modified and compiled unique Mimikatz variants, GSEC and WCE credential stealers, a keylogger, various Escalation of Privilege exploits, various older utilities and an updated set of backdoors, and what appear to be new variants of custom downloader and backdoor modules.

Tools Used 9

8.t Dropper Bioazih Bisonal Dexbia DoubleT Flapjack Mimikatz ShadowPad Winnti Living off the Land

Operations 9

2009-11 Operation “Bitter Biscuit” https://asec.ahnlab.com/1078

2017-02 FireEye's director of cyber-espionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/

2019-03 CactusPete APT group’s updated Bisonal backdoor The backdoor was used to target financial and military organizations in Eastern Europe https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

2019 Late At the end of 2019 the group seemed to shift towards a heavier focus on Mongolian and Russian organizations. https://securelist.com/apt-trends-report-q1-2020/96826/

2019-12 In this campaign, the CactusPete threat actor used a new method to drop an updated version of the DoubleT backdoor onto the computers. https://securelist.com/apt-trends-report-q2-2020/97937/

2020 Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf

2021-03 Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

2022-06 Nice Try Tonto Team https://www.group-ib.com/blog/tonto-team/

2023-04 Tonto Team Using Anti-Malware Related Files for DLL Side-Loading https://asec.ahnlab.com/en/51746/

Reports & References 4

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf https://securelist.com/apt-trends-report-q1-2019/90643/ https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

ETDA Profile

Tonto Team, HartBeat, Karma Panda

Origin

China

First Seen 2009

Sponsor State-sponsored, Shenyang Military Region Technical Reconnaissance Bureau, possibly Unit 65017

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0131/

View on ETDA APT Groups ↗