Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Tonto Team
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Tonto Team
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)
ID: G0131
Associated Groups: Karma Panda, BRONZE HUNTLEY, Earth Akhlut, CactusPete
Version: 1.1
Created: 05 May 2021
Last Modified: 17 Nov 2024

Associated Group Descriptions
Name Description
Karma Panda (Citation: Kaspersky CactusPete Aug 2020)(Citation: CrowdStrike Manufacturing Threat July 2020)
BRONZE HUNTLEY (Citation: Secureworks BRONZE HUNTLEY )
Earth Akhlut (Citation: TrendMicro Tonto Team October 2020)
CactusPete (Citation: Kaspersky CactusPete Aug 2020)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Tonto Team has used PowerShell to download additional payloads.(Citation: ESET Exchange Mar 2021)
.006 Command and Scripting Interpreter: Python

Tonto Team has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exchange Mar 2021)
Enterprise T1056 .001 Input Capture: Keylogging

Tonto Team has used keylogging tools in their operations.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Tonto Team has delivered payloads via spearphishing attachments.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1090 .002 Proxy: External Proxy

Tonto Team has routed their traffic through an external server in order to obfuscate their location.(Citation: TrendMicro Tonto Team October 2020)
Enterprise T1505 .003 Server Software Component: Web Shell

Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.(Citation: ESET Exchange Mar 2021)
Enterprise T1204 .002 User Execution: Malicious File

Tonto Team has relied on user interaction to open their malicious RTF documents.(Citation: TrendMicro Tonto Team October 2020)(Citation: Talos Bisonal Mar 2020)

Software
ID Name References Techniques
S0268 Bisonal (Citation: Kaspersky CactusPete Aug 2020) (Citation: Secureworks BRONZE HUNTLEY ) (Citation: Talos Bisonal Mar 2020) (Citation: Unit 42 Bisonal July 2018) Rundll32, Standard Encoding, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Malicious File, Symmetric Cryptography, Windows Service, Spearphishing Attachment, Add-ins, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Masquerading, Time Based Evasion, Modify Registry, Binary Padding, System Network Configuration Discovery, Proxy, File and Directory Discovery, Dynamic Resolution, Virtualization/Sandbox Evasion, Process Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Non-Application Layer Protocol, Query Registry, Windows Command Shell, File Deletion, Software Packing, Web Protocols, Visual Basic, Ingress Tool Transfer, System Time Discovery, Commonly Used Port
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky CactusPete Aug 2020) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0008 gsecdump (Citation: TrendMicro Tonto Team October 2020) (Citation: TrueSec Gsecdump) Security Account Manager, LSA Secrets
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: TrendMicro Tonto Team October 2020) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: TrendMicro Tonto Team October 2020) Keychain, LSA Secrets, Proc Filesystem, Credentials from Password Stores, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials In Files, /etc/passwd and /etc/shadow, Windows Credential Manager
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky CactusPete Aug 2020) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) Fileless Storage, System Owner/User Discovery, Domain Generation Algorithms, DNS, System Information Discovery, Deobfuscate/Decode Files or Information, Process Injection, Scheduled Transfer, Modify Registry, System Network Configuration Discovery, Indicator Removal, Process Discovery, File Transfer Protocols, Obfuscated Files or Information, Non-Application Layer Protocol, Non-Standard Encoding, Web Protocols, Ingress Tool Transfer, System Time Discovery, Dynamic-link Library Injection

References

  1. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  2. Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021.
  3. Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021.
  4. Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.
  5. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  6. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.
  7. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  8. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  9. Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.
  10. Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved November 17, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.