A hacker group known as Tonto Team, allegedly based in China, has launched a series of attacks on various South Korean institutions including educational, construction, diplomatic, and political bodies. According to cybersecurity experts at ASEC, the group used a malicious file related to malware protection solutions to launch their attacks.
Tonto Team has an extensive hacking experience in Asia and Eastern Europe and has been active since at least 2009. Earlier this year, the group attempted an unsuccessful phishing attack on cybersecurity company Group-IB.
ASEC specialists traced the attack sequence, which began with the use of a Microsoft Compiled HTML Help (.chm) file to introduce malicious library by DLL sideloading method. The attackers then launched an open-source VBScript called revbshell to download a legitimate file from Avast software configuration (WSC_PROXY.EXE), which was then used to introduce a malicious DLL library (WSC.DLL), ultimately leading to the deployment of Trojan Binonal Rat.
It is not only Chinese hackers who use CHM files as a method of spreading harmful programs. The North Korean group SCARCRUFT, which also targets South Korean organizations, employs similar attack chains.