Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Tonto Team has used PowerShell to download additional payloads.[2] |
.006 | Command and Scripting Interpreter: Python |
Tonto Team has used Python-based tools for execution.[7] |
||
Enterprise | T1203 | Exploitation for Client Execution |
Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.[1][7][10][6] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.[7] |
|
Enterprise | T1210 | Exploitation of Remote Services |
Tonto Team has used EternalBlue exploits for lateral movement.[7] |
|
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.[2] |
Enterprise | T1105 | Ingress Tool Transfer |
Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[2] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Tonto Team has used keylogging tools in their operations.[7] |
Enterprise | T1135 | Network Share Discovery |
Tonto Team has used tools such as NBTscan to enumerate network shares.[7] |
|
Enterprise | T1003 | OS Credential Dumping |
Tonto Team has used a variety of credential dumping tools.[7] |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Tonto Team has used the |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Tonto Team has delivered payloads via spearphishing attachments.[7] |
Enterprise | T1090 | .002 | Proxy: External Proxy |
Tonto Team has routed their traffic through an external server in order to obfuscate their location.[7] |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.[2] |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Tonto Team has relied on user interaction to open their malicious RTF documents.[7][10] |