Chinese Espionage Group Exploits Systems with Equation Editor Vulnerability

Category: Threat Actor Activity | Industries: Education, Energy, Financial Services, Government, Healthcare, Military, Technology | Level: Tactical | Source: Group-IB

In June 2022, a phishing campaign was observed by Group-IB researchers delivering a weaponized Microsoft Office document created with the Royal Road RTF Weaponizer, a tool linked to Chinese nation-state actors. Group-IB attributes the campaign to the Chinese cyber espionage group, Tonto Team (additional aliases HeartBeat, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut) active since 2019 and is known to attack entities in the United States, Asia Pacific, and Eastern European regions. Verticals targeted by Tonto Team include organizations in education, energy, financial services, government, healthcare, military, and technology. The weaponized document file attempted to exploit vulnerabilities in the Microsoft Equation Editor, CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798 to download an updated Bisonal.DoubleT backdoor malware is capable of providing remote access, command execution, data collection, and exfiltration. A comparison of between new and old samples of Bisonal.DoubleT found similarities in its network requests based on the URL and User-Agent. The Tonto team also deployed a new downloader tracked as TontoTeam.Downloader (aka QuickMute) used to "download malware for the next stage of the attack." The payloads downloaded, support the Tonto team's data-gathering objectives. Group-IB assesses Tonto Team will be active in targeting technology companies to achieve supply-chain level compromises.

Anvilogic Scenario:

• Infection Chain with Equation Editor

Anvilogic Use Cases:

• Abuse EQNEDT32.EXE
• WMI subscription execution
• New AutoRun Registry Key

‍