Tonto Team Using Anti-Malware Related Files for DLL Side-Loading

The Tonto Team is a threat group that targets mainly Asian countries, and has been distributing Bisonal malware. AhnLab Security Emergency response Center (ASEC) has been tracking the Tonto Team’s attacks on Korean education, construction, diplomatic, and political institutions. Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks.

The Tonto Team’s involvement in the distribution of the CHM malware in Korea has been confirmed since 2021, and they have been changing their methods in various ways to bypass detection. The overall operation process of the most recent method is shown in Figure 1. Although up to the point where ReVBShell is used to receive the threat actor’s commands remains the same, the stages afterward, such as the malware type that is ultimately downloaded and the operation process, have been gradually changing. Each process will be explained below.

Figure 2 shows the malicious script that operates when the CHM is executed. The process of decompiling the CHM file is identical to the previous processes, but a difference is the fact that the normal program (PresentationSettings.exe) created after the decompiling is registered to the RUN key. The normal program registered to the RUN key is executed when the PC is restarted. Once it is executed, it loads the malicious DLL (slc.dll) created simultaneously through the DLL Side Loading (T1574.002) method.

The loaded malicious DLL creates and executes a VBE file in the %TEMP% folder. The decoded VBE is the ReVBShell. The C2 of this ReVBShell is shown below and it performs various malicious behaviors according to the threat actor’s orders. The AhnLab Smart Defense (ASD) infrastructure was able to confirm the following malicious behavior log.

• C2
  hairouni.serveblog[.]net:8080

Figure 3 is an additional log that was confirmed in April 2022, and its relevant information has been covered in the below ASEC Blog.

Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application

Figure 4 shows an additional log that was generated on a PC infected with the recently circulating CHM malware, making it clear that it has the same download URL format as the April 2022 log since their download paths both lead to the same %SystemRoot%\Task\ folder. This download behavior is believed to be performed through ReVBShell under the command of the threat actor.

• Download URL
  hxxps://92.38.135[.]212/fuat/HimTraylcon.exe (April 2022)
  hxxp://45.133.194[.]135:8080/fuat/KCaseAgent64.exe (April 2023)

The file downloaded in April 2022 was a backdoor, and the file downloaded this time was confirmed to be a normal Avast Software configuration file (wsc_proxy.exe).

The entirety of wsc_proxy.exe’s features are shown in Figure 5, and it executes the “_run@4” function after loading wsc.dll. It is assumed that the threat actor uses this feature to load a malicious DLL using the DLL Side Loading method.

Additionally, a detection log was confirmed through our ASD infrastructure of a file named “wsc.dll” being created in the same path (%SystemRoot%\Task\) within an infected PC, as shown in Figure 6. Considering that normal Avast Software files are generally created in the “%ProgramFiles%\Avast Software\” path, it is highly likely that a malicious DLL that was modified by the threat actor was created. Ultimately, the malicious DLL (wsc.dll) is loaded through the normal file (wsc_proxy.exe), enabling additional malicious behavior to be performed.

As shown in Figure 7, Bisonal malware was detected in the CHM malware that was distributed in November 2022. It is assumed that this type of CHM malware is being distributed by the Tonto Team.

The Tonto Team is constantly evolving through various means such as using normal software for more elaborate attacks. The number of distribution cases using CHM has increased in comparison to the past. Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine PC checks and always keep their security products updated to the latest version.

[File Detection]
Dropper/HTML.Generic.SC187758 (2023.04.12.02)
Trojan/Win.Agent.C5409945 (2023.04.12.02)
Backdoor/VBS.Generic.SC187759 (2023.04.12.02)

[IOC]
59f7a3fe0453ca6d27ba3abe78930fdf
fe1161885005ac85f89accf703ce27bb
d5e6dc253a5584b178ae3c758120da4d
hairouni.serveblog[.]net:8080
hxxp://45.133.194[.]135:8080/fuat/KCaseAgent64.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.