1. Home
  2. Groups
  3. Tonto Team

Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]

ID: G0131
Associated Groups: Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Version: 1.1
Created: 05 May 2021
Last Modified: 27 January 2022

Associated Group Descriptions

Name Description
Earth Akhlut

[7]
BRONZE HUNTLEY

[8]
CactusPete

[1]
Karma Panda

[1][9]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 .002 代理: External Proxy

Tonto Team has routed their traffic through an external server in order to obfuscate their location.[7]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Tonto Team has used PowerShell to download additional payloads.[2]
.006 命令与脚本解释器: Python

Tonto Team has used Python-based tools for execution.[7]

Enterprise T1203 客户端执行漏洞利用

Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.[1][7][10][6]

Enterprise T1003 操作系统凭证转储

Tonto Team has used a variety of credential dumping tools.[7]

Enterprise T1505 .003 服务器软件组件: Web Shell

Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.[2]
Enterprise T1068 权限提升漏洞利用

Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.[7]
Enterprise T1069 .001 权限组发现: Local Groups

Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host.[7]
Enterprise T1204 .002 用户执行: Malicious File

Tonto Team has relied on user interaction to open their malicious RTF documents.[7][10]

Enterprise T1135 网络共享发现

Tonto Team has used tools such as NBTscan to enumerate network shares.[7]
Enterprise T1105 输入工具传输

Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[2]
Enterprise T1056 .001 输入捕获: Keylogging

Tonto Team has used keylogging tools in their operations.[7]
Enterprise T1210 远程服务漏洞利用

Tonto Team has used EternalBlue exploits for lateral movement.[7]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Tonto Team has delivered payloads via spearphishing attachments.[7]

Software

ID Name References Techniques
S0268 Bisonal [1][8][10] 从本地系统获取数据, 代理, 伪装: Match Legitimate Name or Location, 伪装, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Add-ins, 加密通道: Symmetric Cryptography, 动态解析, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Binary Padding, 混淆文件或信息: Software Packing, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统时间发现, 系统网络配置发现, 虚拟化/沙盒规避, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 进程发现, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 非应用层协议
S0008 gsecdump [7] 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets
S0349 LaZagne [7] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0590 NBTscan [7] 系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0596 ShadowPad [1] 修改注册表, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 应用层协议: DNS, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 移除指标, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 非应用层协议, 预定传输

References

  1. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  2. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  3. Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021.
  4. Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021.
  5. Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.
  1. Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021.
  2. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  3. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.
  4. Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.
  5. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.