Chinese cybercriminals continue to improve the Remote Access Trojan (RAT), which appeared ten years ago. According to Cisco Talos experts, the Bisonal Trojan is still used in attacks on Russia, Japan and South Korea.
Such dedication to old tools is rare among cybercriminals, the researchers said. As a rule, hackers regularly replenish their arsenal with new software and do not improve the old one (Bisonal was compiled on December 24, 2010).
According to a report provided by Cisco Talos to ZDNet prior to publication, the Bisonal Trojan is being used by the Tonto Team APT, allegedly linked to the Chinese military. According to researchers from FireEye, the Tonto Team is affiliated with the Shenyang Military District's Bureau of Technical Intelligence and participated in attacks on South Korea's THAAD missile defense system in 2017.
In addition to South Korea, the main targets of the APT group were also Russia and Japan. Cisco Talos found that Bisonal was used in recent campaigns against these countries, with a primary focus on Russian-speaking users.
"The campaigns had very specific goals, judging by which it is fashionable to assume that their end game was more about intelligence gathering and espionage," Cisco Talos said.
At the first stage of the attack, the victim receives a phishing email with a malicious document. The 2009 attacks used documents on research, military technology, the South Korean government, and Russian companies. Now the researchers have found Russian-language RTF documents and the same documents in Korean, downloading the winhelp.wll file, which is the dropper of the Bisonal Trojan, onto the attacked system. Documents in Russian are devoted to research, and in Korean - to the government.
