10 Years Old Trojan is Still Used by Tonto Team

Delaware, USA – March 6, 2020 – Chinese threat actor continues to update and use the Bisonal Remote Access Trojan, which first appeared on researchers’ radars more than 10 years ago. Cisco Talos researchers uncovered a new version of this trojan in recent cyber espionage campaigns by Tonto Team targeting Japanese, South Korean and Russian organizations. “Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware,” researchers said. “This group has continued its operations for over a decade and they continue to evolve their malware to avoid detection. Bisonal primarily used spear phishing to obtain a foothold within their victims’ networks. Their campaigns had very specific targets which would suggest their end game was more around operational intelligence gathering and espionage.”
Unlike most groups that regularly update their arsenal with new malware, Tonto Team does not abandon the familiar tool but improves it to lower its detection ratio and improve the initial vector success rate. “However, specific functions are still used today, many years after the original implementation of the Bional malware. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors.” Researchers believe that attackers will continue to use this trojan in future campaigns, adding new features and compatibility with operating systems. You can learn more about this trojan in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/
Also, you can use APT Framework, a specialized analytical bundle for SIEM that monitors the company’s infrastructure constantly and detects APT activity by tracking the frequency and distribution of events across the Lockheed Martin Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework