top of page

Tonto Team: Chinese-aligned threat actor targeting South Korean institutions

The recent string of attacks from the Tonto Team has been especially notable for their use of anti-malware products to ultimately execute their malicious attacks. The group, which is active since at least 2009 and has a track record of targeting various sectors across Asia and Eastern Europe, was most recently attributed to an unsuccessful phishing attack on cybersecurity company Group-IB. However, the attack sequence discovered by ASEC starts with a Microsoft Compiled HTML Help (.CHM) file that executes a binary file to side-load a malicious DLL file (slc.dll) and launch ReVBShell, an open source VBScript backdoor also put to use by another Chinese threat actor called Tick. ReVBShell is subsequently leveraged to download a second executable, a legitimate Avast software configuration file (wsc_proxy.exe), to side-load a second rogue DLL (wsc.dll), ultimately leading to the deployment of the Bisonal remote access trojan. This use of normal software for more elaborate attacks is indicative of the Tonto Team's constant evolution. Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.


bottom of page