Tonto Team
Associated Group Descriptions |
|
Name | Description |
---|---|
Earth Akhlut | (Citation: TrendMicro Tonto Team October 2020) |
BRONZE HUNTLEY | (Citation: Secureworks BRONZE HUNTLEY ) |
CactusPete | (Citation: Kaspersky CactusPete Aug 2020) |
Karma Panda | (Citation: Kaspersky CactusPete Aug 2020)(Citation: CrowdStrike Manufacturing Threat July 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Tonto Team has used PowerShell to download additional payloads.(Citation: ESET Exchange Mar 2021) |
.006 | Command and Scripting Interpreter: Python |
Tonto Team has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020) |
||
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exchange Mar 2021) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Tonto Team has used keylogging tools in their operations.(Citation: TrendMicro Tonto Team October 2020) |
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Tonto Team has used the |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Tonto Team has delivered payloads via spearphishing attachments.(Citation: TrendMicro Tonto Team October 2020) |
Enterprise | T1090 | .002 | Proxy: External Proxy |
Tonto Team has routed their traffic through an external server in order to obfuscate their location.(Citation: TrendMicro Tonto Team October 2020) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.(Citation: ESET Exchange Mar 2021) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Tonto Team has relied on user interaction to open their malicious RTF documents.(Citation: TrendMicro Tonto Team October 2020)(Citation: Talos Bisonal Mar 2020) |
References
- Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
- Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
- Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
- Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021.
- Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021.
- Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021.
- Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021.
- Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.