2023-05-21

Tonto Team Employs CHM files to Infiltrate Systems with RATs

Level: 
Tactical
  |  Source: 
ASEC
Construction
Education
Government
Share:

Tonto Team Employs CHM files to Infiltrate Systems with RATs

Category: Threat Actor Activity | Industries: Construction, Education, Government | Level: Tactical | Source: ASEC

Since 2021, the Chinese-state-sponsored espionage group Tonto Team has been distributing malicious CHM files to infect targets and drop malicious payloads. The security team at AhnLab Security Emergency Response Center (ASEC) recently detected a new CHM campaign by threat actors targeting Korean organizations in the fields of construction, education, and government agencies associated with diplomatic and political matters. "Recent cases have revealed the group is using a file related to anti-malware products to ultimately execute their malicious attacks," as observed by ASEC.

ASEC's investigation revealed the attack chain commences with the execution of a binary file by a Microsoft Compiled HTML Help (.CHM) file. This binary file sideloads a malicious DLL file called slc.dll, initiating the launch of ReVBShell and establishes persistence in the RUN registry key. This open-source VBScript backdoor is known to be used by another Chinese threat actor named Tick. The backdoor drops a legitimate configuration file for Avast software named wsc_proxy.exe, which is abused to sideload a malicious DLL. The infection completes with the execution of the Bisonal remote access trojan (RAT).

Anvilogic Scenario:

  • Malicious CHM Payload

Anvilogic Use Cases:

  • hh.exe Remote File Execution
  • New AutoRun Registry Key
  • Wscript/Cscript Execution

Get trending threats published weekly by the Anvilogic team.

Sign Up Now