Tonto Team: exploring the TTPs of an advanced threat actor operating a large infrastructure

Daniel Lunghi (Trend Micro) & Jaromir Horejsi (Trend Micro)
live only
17:45 UTC on Day 3
FRIDAY 02 OCTOBER
Tonto is an advanced threat actor likely based in Asia that has been operating for over a decade. It has been targeting mainly East Asian government organizations and worldwide companies in different sensitive industries, including energy, transportation, and mining.

As an infection vector, the group sends spear-phishing emails with malicious attachments created with the help of the infamous 'Royal Road' RTF exploitation toolkit, which is known to be shared by different threat actors. The group also uses phishing websites to gather credentials.

After the successful exploitation of the targeted machine, the payloads they use include multiple custom backdoors, such as Bisonal and Dexbia, which are usually written using the MFC framework, and some more advanced families, such as Shadowpad, which is shared with a few other groups. Once they gain control of one host, the threat actors use a variety of custom or repackaged tools to gather credentials or elevate privileges through known Windows exploits.

Mapping and monitoring the attacker’s infrastructure allowed us to find interesting custom tools, such as a backend C&C panel for controlling infected machines. It also helped us find additional links to known threat actors. Tonto maintains at least 80 C2 servers and hundreds of domain names, proving a big operational capability.

In this presentation, we will analyse the infection vector, starting with the documents weaponized with the 'Royal Road' toolkit. The presentation will continue with the detailed analysis of the different custom as well as shared modules and malware families. We will summarize various post-exploitation tools that we noticed the threat actor using. Finally, we will share more intelligence about the attacker’s infrastructure and targets, as well as likely connections and overlaps with other known threat actors.
Daniel Lunghi
Trend Micro Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.
Jaromir Horejsi
Trend Micro Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
arrow left Back

Tonto Team: exploring the TTPs of an advanced threat actor operating a large infrastructure

17:45 - 18:15 UTC Fri 2 Oct 2020
Daniel Lunghi (Trend Micro) & Jaromir Horejsi (Trend Micro)
Tonto is an advanced threat actor likely based in Asia that has been operating for over a decade. It has been targeting mainly East Asian government organizations and worldwide companies in different sensitive industries, including energy, transportation, and mining.

As an infection vector, the group sends spear-phishing emails with malicious attachments created with the help of the infamous 'Royal Road' RTF exploitation toolkit, which is known to be shared by different threat actors. The group also uses phishing websites to gather credentials.

After the successful exploitation of the targeted machine, the payloads they use include multiple custom backdoors, such as Bisonal and Dexbia, which are usually written using the MFC framework, and some more advanced families, such as Shadowpad, which is shared with a few other groups. Once they gain control of one host, the threat actors use a variety of custom or repackaged tools to gather credentials or elevate privileges through known Windows exploits.

Mapping and monitoring the attacker’s infrastructure allowed us to find interesting custom tools, such as a backend C&C panel for controlling infected machines. It also helped us find additional links to known threat actors. Tonto maintains at least 80 C2 servers and hundreds of domain names, proving a big operational capability.

In this presentation, we will analyse the infection vector, starting with the documents weaponized with the 'Royal Road' toolkit. The presentation will continue with the detailed analysis of the different custom as well as shared modules and malware families. We will summarize various post-exploitation tools that we noticed the threat actor using. Finally, we will share more intelligence about the attacker’s infrastructure and targets, as well as likely connections and overlaps with other known threat actors.
Daniel Lunghi
Trend Micro Daniel Lunghi is a threat researcher at Trend Micro. He has been hunting malware and performing incident response investigations for years. Now he focuses on long-term monitoring of advanced threat actors from all over the world, exploring new ways of tracking them, and enjoying their mistakes. The result of such investigations are shared through blogposts, whitepapers, and conference talks.
Jaromir Horejsi
Trend Micro Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.