Elusive ToddyCat APT Targets Microsoft Exchange Servers – Threatpost

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The threat actor targets institutions and companies in Europe and Asia.
An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now.
“The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT.
Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.”
The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network.
The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam from December 2020, reports Kaspersky.
The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.” In some cases, they said, the Samurai backdoor lays the path to launch another malicious program called Ninja.
Aspects of ToddyCat’s threat activities were also tracked by cybersecurity firm ESET, which dubbed the “cluster of activities” seen in the wild as Websiic. Meanwhile, researchers at GTSC identified another part of the group’s infection vectors and techniques in a report outlining the delivery of the malware’s dropper code.
“That said, as far as we know, none of the public accounts described sightings of the full infection chain or later stages of the malware deployed as part of this group’s operation,” Kaspersky wrote.
During the period between December 2020 and February 2021, the first wave of attacks were carried out against the limited number of servers in Taiwan and Vietnam.
In the next period, between February 2021 and May 2021, researchers observed a sudden surge in attacks. That’s when, they said, the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries including Iran, India, Malaysia, Slovakia, Russia and the United Kingdom.
After May 2021, the researchers observed the attributes linked to the same group which targets the previously mentioned countries as well as the military and government organizations based in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave is expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.
The attack sequence is initiated after the deployment of the China Chopper web shell attack sequenc, which allows the dropper to execute and install the components and create multiple registry keys.
The registry modification in the prior step forces “svchost” to load a malicious library “iiswmi.dll” and performs its action to invoke the third stage where a “.Net loader” executes and opens the Samurai backdoor.
According to the researchers, the Samurai backdoor is hard to detect during the reverse engineering process as it “switch cases to jump between instructions, thus flattening the control flow” and uses obfuscation techniques.
In the specific incidents, the advanced tool Ninja was implemented by Samurai to coordinate and collaborate multiple operators to work simultaneously on the same machine. The researchers explained that the Ninja provides a large set of commands allowing an attacker to “control remote systems, avoid detection and penetrate deep inside a targeted network”.
Ninja shares similarities with the other post-exploitation toolkit like Cobalt strike in terms of capabilities and features. It can “control the HTTP indicators and camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths,” the researcher noted.
According to the report, China-based hackers are targeting victims of the ToddyCat APT gang within the same time frame. In those instances, researchers observed the Chinese-language hackers use an Exchange backdoor called FunnyDream.
“This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we observed the same targets compromised by both APTs in three different countries. Moreover, in all the cases there was a proximity in the staging locations and in one case they used the same directory,” researchers wrote.
The security researchers believe that despite the ‘occasional proximity in staging locations’, they do not have any concrete proof that shows the linkage between the two malware families.
“Despite the overlap, we do not feel confident merging ToddyCat with the FunnyDream cluster at the moment,” Kaspersky wrote. “Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,” the report added.
“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests,” Kaspersky wrote.
Share this article:
The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.
Researchers have discovered that a Kazakhstan government entity deployed sophisticated Italian spyware within its borders.
Evidence suggests that a just-discovered APT has been active since 2013.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Joseph Carson, Chief Security Scientist and Advisory CISO at @DelineaInc, explores why gamified platforms and hacki… https://t.co/MDbI3G2MqX
16 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

By admin

Leave a Reply

Your email address will not be published.

No widgets found. Go to Widget page and add the widget in Offcanvas Sidebar Widget Area.