SentinelOne reported that they identified Chinese APT groups are attacking to Russian organizations in several sectors like telecommunications and government.
The attacks start with phishing emails including Office documents to exploit targets in order to deliver their RAT (Remote Access Trojan) called Bisonal. These phishing emails spoofing RU-CERT, the country’s cybersecurity incident response center.
The documents exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office, to install the embedded malware.
On June 22nd 2022, CERT-UA – Ukraine’s CERT – also publicly shared some of these documents that are created with a tool called ‘Royal Road’.
Tonto Team APT Group: The attack was associated with the Tonto Group by SentinelOne. They are a Chinese group firstly reported near 2013. We have identified that they targeted South Korean National Security entities, Japanese chemical organizations, and also Russian government again in the past.
CVE-2018-0798: This is a stack-based buffer overflow vulnerability exists within the Microsoft Equation Editor (eqnedt32.exe) in Microsoft Office. It is a high risky and exploitable vulnerability. When exploited, the attacker can remotely execute arbitrary code. We have seen this vulnerability has been exploited widely in the past.
IoCs of Related Activity:
| IOC | Description |
| f599ed4ecb6c61ef2f2692d1a083e3bb040f95e6 | 6/21/2022 Royal Road Document”Вниманию.doc” |
| cb8eb16d94fd9242baf90abd1ef1a5510edd2996 | 6/16/2022 Royal Road Document “Вниманию.doc” |
| 41ebc0b36e3e3f16b0a0565f42b0286dd367a352 | 6/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по делам государственной службы.rtf” |
| 2abf70f69a289cc99adb5351444a1bd23fd97384 | 6/20/2022 Royal Road Document”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc” |
| supportteam.lingrevelat[.]com | C2 Domain |
| upportteam.lingrevelat[.]com | C2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996 |
| 2b7975e6b1e9b72e9eb06989e5a8b1f6fd9ce027 | 6/21/2022 Royal Road Document”О_формировании_проекта_ПНС_2022_файл_отображен.doc” |
| a501fec38f4aca1a57393b6e39a52807a7f071a4 | 6/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc” |
| 415ce2db3957294d73fa832ed844940735120bae | 6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc” |
| news.wooordhunts[.]com | C2 Domain for 415ce2db3957294d73fa832ed844940735120bae |
| 137.220.176[.]165 | IP Resolved for C2 Domains news.wooordhunts[.]com supportteam.lingrevelat[.]com upportteam.lingrevelat[.]com |
| 1c848911e6439c14ecc98f2903fc1aea63479a9f | 6/23/2022 Royal Road Document”РЭН 2022.doc” |
| 91ca78231bcacab0d5e6194041817b96252e65bf | 5/12/2022 Phishing Email File |
| f444ff2386cd3ada204c3224463f4be310e5554a | 5/12/2022 Royal Road Document”Please help to Check.doc” |
| instructor.giize[.]com | C2 Server for f444ff2386cd3ada204c3224463f4be310e5554a |