Tonto Team Employs CHM files to Infiltrate Systems with RATs
Category: Threat Actor Activity | Industries: Construction, Education, Government | Level: Tactical | Source: ASEC
Since 2021, the Chinese-state-sponsored espionage group Tonto Team has been distributing malicious CHM files to infect targets and drop malicious payloads. The security team at AhnLab Security Emergency Response Center (ASEC) recently detected a new CHM campaign by threat actors targeting Korean organizations in the fields of construction, education, and government agencies associated with diplomatic and political matters. "Recent cases have revealed the group is using a file related to anti-malware products to ultimately execute their malicious attacks," as observed by ASEC.
ASEC's investigation revealed the attack chain commences with the execution of a binary file by a Microsoft Compiled HTML Help (.CHM) file. This binary file sideloads a malicious DLL file called slc.dll, initiating the launch of ReVBShell and establishes persistence in the RUN registry key. This open-source VBScript backdoor is known to be used by another Chinese threat actor named Tick. The backdoor drops a legitimate configuration file for Avast software named wsc_proxy.exe, which is abused to sideload a malicious DLL. The infection completes with the execution of the Bisonal remote access trojan (RAT).
- Malicious CHM Payload
Anvilogic Use Cases:
- hh.exe Remote File Execution
- New AutoRun Registry Key
- Wscript/Cscript Execution