Threat Research

Tonto Team Using Anti-Malware Related Files for DLL Side-Loading – ASEC BLOG

Securonix

The Tonto Team targets mainly Asian countries and has been distributing Bisonal malware, using anti-malware-related files to facilitate DLL side-loading. ASECs analysis traces evolving CHM-based campaigns in Korea, persistence via RUN keys, and C2 communications to hairouni.serveblog.net, with observed download URLs such as HimTraylcon.exe and KCaseAgent64.exe. #TontoTeam #Bisonal #CHMmalware #ReVBShell #DLLSideLoading #AvastSoftware

Keypoints

  • The Tonto Team’s campaigns in Korea involve CHM-based delivery to target education, construction, diplomatic, and political institutions.
  • They leverage anti-malware related files to enable DLL side-loading, using PresentationSettings.exe and a malicious DLL (slc.dll).
  • The malicious DLL loads a VBE script, decoded as ReVBShell, executed from the %TEMP% folder.
  • Command and control for the ReVBShell is hosted at hairouni.serveblog.net:8080, establishing web-based C2 channels.
  • Observed download behavior includes URLs/hard-coded paths such as HimTraylcon.exe (April 2022) and KCaseAgent64.exe (April 2023); one payload was Avast’s wsc_proxy.exe.
  • Dll side-loading is facilitated by registering a normal program in RUN keys so the legitimate process persists across reboots.
  • Security recommendations emphasize careful sender verification, routine PC checks, and updating security products to latest versions.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – The normal program registered to the RUN key is used to load a malicious DLL (slc.dll) via DLL Side Loading.”The normal program registered to the RUN key is executed when the PC is restarted. Once it is executed, it loads the malicious DLL (slc.dll) created simultaneously through the DLL Side Loading (T1574.002) method.”
  • [T1059.005] Visual Basic – The attacker loads and executes a VBE file; the decoded VBE is the ReVBShell.”The loaded malicious DLL creates and executes a VBE file in the %TEMP% folder. The decoded VBE is the ReVBShell.”
  • [T1547.001] Boot or Logon Autostart Execution – Persistence via RUN key; the normal program is registered to run at startup.”The normal program registered to the RUN key is executed when the PC is restarted.”
  • [T1105] Ingress Tool Transfer – Download of additional payloads from remote URLs.”Download URL hxxps://92.38.135[.]212/fuat/HimTraylcon.exe (April 2022) hxxp://45.133.194[.]135:8080/fuat/KCaseAgent64.exe (April 2023)”
  • [T1071.001] Web Protocols – Command and control over web protocols to a remote host.”C2 hairouni.serveblog[.]net:8080″

Indicators of Compromise

  • [Hash] – 59f7a3fe0453ca6d27ba3abe78930fdf, 2 examples observed in detection logs (Dropper/HTML.Generic.SC187758 and Trojan/Win.Agent.C5409945).
  • [Domain] – hairouni.serveblog[.]net:8080 – C2 domain observed in C2 communications.
  • [URL] – hxxp://45.133.194[.]135:8080/fuat/KCaseAgent64.exe – Download URL for a payload.
  • [File] – wsc_proxy.exe – Avast configuration-like file observed in November 2022/April 2023 activity.
  • [File] – slc.dll – Malicious DLL used in DLL side-loading chain.
  • [File] – PresentationSettings.exe – Normal program used to trigger DLL side-loading via RUN key.

Read more: https://asec.ahnlab.com/en/51746/