ToddyCat Hacking Group

12436121296?profile=RESIZE_400xThe threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data.   Cybersecurity investigators characterized the adversary as relying on various programs to harvest data on an "industrial scale" from primarily governmental organizations, some of them defense related, located in the Asia-Pacific region.  To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.[1]

ToddyCat was first documented by researchers in June 2022 in connection with a series of cyber attacks aimed at government and military entities in Europe and Asia since at least December 2020.  These intrusions leveraged a passive backdoor dubbed Samurai that allows for remote access to the compromised host.

See:  https://redskyalliance.org/xindustry/toddycat-has-malicious-tools

A closer examination of the threat actor's tradecraft has since uncovered additional data exfiltration tools like LoFiSe and Pcexter to gather data and upload archive files to Microsoft OneDrive.

The latest set of programs entail a mix of tunneling data gathering software, which are put to use after the attacker has already obtained access to privileged user accounts in the infected system.  This includes:

  • Reverse SSH tunnel using OpenSSH
  • SoftEther VPN, which is renamed to seemingly innocuous files like "boot.exe," "mstime.exe," "netscan.exe," and "kaspersky.exe"
  • Ngrok and Krong to encrypt and redirect command-and-control (C2) traffic to a certain port on the target system
  • FRP client, an open-source Golang-based fast reverse proxy
  • Cuthead, a .NET compiled executable to search for documents matching a specific extension or a filename, or the date when they are modified
  • WAExp, a .NET program to capture data associated with the WhatsApp web app and save it as an archive, and
  • TomBerBil to extract cookies and credentials from web browsers like Google Chrome and Microsoft Edge

Maintaining multiple simultaneous connections from the infected endpoints to actor-controlled infrastructure using different tools is seen as a fallback mechanism and a way to retain access in cases where one of the tunnels is discovered and taken down.   The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.  To protect the organization's infrastructure, investigators recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling.  In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://thehackernews.com/2024/04/russian-hacker-group-toddycat-uses.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!