Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]

ID: G0131
Associated Groups: Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Version: 1.1
Created: 05 May 2021
Last Modified: 27 January 2022

Associated Group Descriptions

Name Description
Earth Akhlut

[7]

BRONZE HUNTLEY

[8]

CactusPete

[1]

Karma Panda

[1][9]

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Tonto Team has used PowerShell to download additional payloads.[2]

.006 Command and Scripting Interpreter: Python

Tonto Team has used Python-based tools for execution.[7]

Enterprise T1203 Exploitation for Client Execution

Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.[1][7][10][6]

Enterprise T1068 Exploitation for Privilege Escalation

Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.[7]

Enterprise T1210 Exploitation of Remote Services

Tonto Team has used EternalBlue exploits for lateral movement.[7]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.[2]

Enterprise T1105 Ingress Tool Transfer

Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[2]

Enterprise T1056 .001 Input Capture: Keylogging

Tonto Team has used keylogging tools in their operations.[7]

Enterprise T1135 Network Share Discovery

Tonto Team has used tools such as NBTscan to enumerate network shares.[7]

Enterprise T1003 OS Credential Dumping

Tonto Team has used a variety of credential dumping tools.[7]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host.[7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Tonto Team has delivered payloads via spearphishing attachments.[7]

Enterprise T1090 .002 Proxy: External Proxy

Tonto Team has routed their traffic through an external server in order to obfuscate their location.[7]

Enterprise T1505 .003 Server Software Component: Web Shell

Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.[2]

Enterprise T1204 .002 User Execution: Malicious File

Tonto Team has relied on user interaction to open their malicious RTF documents.[7][10]

Software

ID Name References Techniques
S0268 Bisonal [1][8][10] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Dynamic Resolution, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Masquerading, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Office Application Startup: Add-ins, Phishing: Spearphishing Attachment, Process Discovery, Proxy, Query Registry, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Time Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion, Virtualization/Sandbox Evasion: Time Based Evasion
S0008 gsecdump [7] OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager
S0349 LaZagne [7] Credentials from Password Stores: Keychain, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [7] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0596 ShadowPad [1] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal on Host, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References