Headline
Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
By Deeba Ahmed An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
However, the APT group has failed to cause any harm to the Singapore-based cybersecurity giant.
An advanced persistent threat (APT) group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This attempt has also failed. The attack occurred in June 2022, whereas the first one occurred in March 2021.
Incident Details
According to Group-IB, they detected and blocked malicious phishing emails that targeted their employees. Group-IB’s team detected malicious activity on June 20, 2022, and its XDR solution triggered an alert after blocking the emails sent to two of its employees.
Screenshot of the alerts in Group IB- Managed XDR
Further investigation revealed that the Tonto Team threat actors posed as an employee from a legitimate firm and used a fake email created with a free email service called GMX Mail. The phishing emails were the initial phase of the attack. Attackers used them to deliver malicious MS Office documents created using the Royal Road Weaponizer.
Moreover, the actors used their own developed Bisonal.DoubleT backdoor, along with a new downloader that Group-IB researchers named TontoTeam.Downloader (aka QuickMute).
How Did the Attack Occur?
Attackers created a Rich Text Format (RTF) file with the Royal RTF Weaponizer. It is worth noting that this weaponizer is mainly used by Chinese APT (Advanced Persistent Threat) groups.
The file allowed attackers to create malicious RTF exploits with decoy content for Microsoft Equation Editor vulnerabilities tracked as CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. The decrypted payload, a malicious PE32 format EXE file, could be classified as a Bisonal DoubleT backdoor.
Bisonal. Backdoor FunctionalitiesDoubleT
Static analysis of the Bisonal.DoubleT sample was conducted and compared with its old version discovered in 2020. Similar strings were identified, and researchers also detected traces of a C2 server communication.
Additionally, they conducted a dynamic comparison analysis of the sample from 2022 and other samples of the same malware family. Researchers concluded that this backdoor could collect information about the compromised host, such as the proxy server address, system language encoding, the account name for the file currently running, hostname, time since system boot, and local IP address.
It encourages remote access to a compromised device, and the attacker can easily execute various commands. It can stop a specified process, obtain a list of processes, download files from the control server and run them, and create a file on the disk using the local language encoding.
Tracking the Tonto Team
The Tonto Team is also referred to as Karma Panda, HeartBeatm, Bronze Huntley, CactusPete, and Earth Akhlut. It is a cyberespionage group, possibly from China.
This APT group has mainly targeted military, government, finance, energy, education, technology, and healthcare organizations since 2009. Initially, it targeted companies in South Korea, Taiwan, and Japan and later expanded its operations to the USA.
The group frequently used spear-phishing attacks and delivered malicious attachments created using the RTF exploitation toolkit to drop backdoors, such as ShadowPad, Dexbia, and Bisonal.
- Leading Cybersecurity Firm Kaspersky Hacked
- Google buys cybersecurity firm Mandiant for $5b
- Cybersecurity firm exposes 5B data breach records
- User data stolen in Stormshield cybersecurity breach
- Cybersecurity firm CloudSEK blames rival over breach
Related news
USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter. "Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5. The findings from the
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]