Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Tonto Team
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Tonto Team
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)
ID: G0131
Associated Groups: Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Version: 1.1
Created: 05 May 2021
Last Modified: 27 Jan 2022

Associated Group Descriptions
Name Description
Earth Akhlut (Citation: TrendMicro Tonto Team October 2020)
BRONZE HUNTLEY (Citation: Secureworks BRONZE HUNTLEY )
CactusPete (Citation: Kaspersky CactusPete Aug 2020)
Karma Panda (Citation: Kaspersky CactusPete Aug 2020)(Citation: CrowdStrike Manufacturing Threat July 2020)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Tonto Team has used PowerShell to download additional payloads.(Citation: ESET Exchange Mar 2021)
.006 Command and Scripting Interpreter: Python

Tonto Team has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exchange Mar 2021)
Enterprise T1056 .001 Input Capture: Keylogging

Tonto Team has used keylogging tools in their operations.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Tonto Team has delivered payloads via spearphishing attachments.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1090 .002 Proxy: External Proxy

Tonto Team has routed their traffic through an external server in order to obfuscate their location.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1505 .003 Server Software Component: Web Shell

Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.(Citation: ESET Exchange Mar 2021)
Enterprise T1204 .002 User Execution: Malicious File

Tonto Team has relied on user interaction to open their malicious RTF documents.(Citation: TrendMicro Tonto Team October 2020)(Citation: Talos Bisonal Mar 2020)

Software
ID Name References Techniques
S0268 Bisonal (Citation: Kaspersky CactusPete Aug 2020) (Citation: Secureworks BRONZE HUNTLEY ) (Citation: Talos Bisonal Mar 2020) (Citation: Unit 42 Bisonal July 2018) Native API, File Deletion, Symmetric Cryptography, Process Discovery, Ingress Tool Transfer, Virtualization/Sandbox Evasion, Windows Service, Add-ins, Visual Basic, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, File and Directory Discovery, Registry Run Keys / Startup Folder, Data from Local System, Time Based Evasion, Web Protocols, Commonly Used Port, Modify Registry, Rundll32, Malicious File, Binary Padding, Spearphishing Attachment, Standard Encoding, Query Registry, Software Packing, Exfiltration Over C2 Channel, Non-Application Layer Protocol, Proxy, Windows Command Shell, System Information Discovery, Dynamic Resolution, System Network Configuration Discovery, System Time Discovery, Match Legitimate Name or Location, Masquerading
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky CactusPete Aug 2020) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0008 gsecdump (Citation: TrendMicro Tonto Team October 2020) (Citation: TrueSec Gsecdump) Security Account Manager, LSA Secrets
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: TrendMicro Tonto Team October 2020) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: TrendMicro Tonto Team October 2020) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky CactusPete Aug 2020) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) System Owner/User Discovery, Modify Registry, System Time Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Indicator Removal, System Network Configuration Discovery, Scheduled Transfer, Process Discovery, DNS, Non-Standard Encoding, File Transfer Protocols, Non-Application Layer Protocol, Obfuscated Files or Information, Web Protocols, Process Injection, System Information Discovery, Domain Generation Algorithms, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  2. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  3. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  4. Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021.
  5. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.
  6. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  7. Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021.
  8. Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021.
  9. Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.
  10. Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.