Kaspersky Exposes ToddyCat's Advanced Cyber-Espionage Tools and Expanding Attacks

Kaspersky Lab, a leading cybersecurity firm, has released a series of reports detailing the evolving tactics and expanding the reach of the Advanced Persistent Threat (APT) group known as ToddyCat.

First detected in December 2020, ToddyCat has rapidly escalated its attacks, targeting government and diplomatic entities across Europe and Asia. The group's latest campaigns, as analyzed by Kaspersky researchers, reveal a sophisticated and stealthy approach to compromising networks and exfiltrating sensitive data.

Exploiting Microsoft Exchange Server Vulnerabilities:

ToddyCat's initial attacks, observed in February-March 2021, involved the exploitation of the ProxyLogon vulnerability on Microsoft Exchange Servers. This allowed the group to compromise multiple organizations across Europe and Asia, establishing a foothold for further infiltration.

By September 2021, ToddyCat shifted its focus to desktop machines related to government and diplomatic entities in the Asia-Pacific region, indicating a strategic targeting of high-value assets.

Stealthy Network Infiltration and Data Exfiltration:

ToddyCat's latest attacks, as detailed in Kaspersky's most recent blog post, highlight the group's ability to create and maintain persistent access to compromised infrastructure. By utilizing tools like reverse SSH tunnels, SoftEther VPN, and legitimate cloud providers such as Ngrok, ToddyCat ensures multiple access points, making it challenging to completely eliminate their presence.

The group has also developed tools to automate data harvesting, enabling the collection of large volumes of sensitive information from numerous hosts.

Kaspersky researchers have identified data collection tools like "cuthead," which searches for specific file types and packages them into password-protected archives, and "WAExp," which targets WhatsApp data from web browser local storage.

ToddyCat's "TomBerBil" tool further demonstrates their ability to steal passwords and cookies stored in Chrome and Edge browsers. By impersonating legitimate users and exploiting the Data Protection Application Programming Interface (DPAPI), the attackers can decrypt master encryption keys and gain access to a wide range of online services.

Samurai Backdoor and Ninja Trojan: Advanced Cyber-Espionage Tools:

Kaspersky's analysis of ToddyCat's malware arsenal has uncovered two highly sophisticated tools: Samurai Backdoor and Ninja Trojan. 

Samurai, a modular backdoor and the attack's final stage component enables the attacker to control the compromised system and move laterally within the network. The malware employs complex control flow and case statements, making it difficult to track the order of actions in the code.

Ninja Trojan, launched by Samurai, is a collaborative tool that allows multiple operators to work simultaneously on the same machine. It provides a wide range of commands for remote system control while evading detection. 

Ninja Trojan deeply infiltrates the compromised network, managing file systems, initiating reverse shells, and forwarding TCP packets. The malware can even take control of the network during specific timeframes, which can be dynamically configured using specific commands.

The evolution of ToddyCat's tactics and the expansion of their attacks on organizations in the Asia-Pacific region underscore the growing threat posed by sophisticated APT groups. As Giampaolo Dedola, a security expert at Kaspersky, emphasizes, ToddyCat's advanced malware capabilities, exemplified by the stealthy Ninja Trojan, make them particularly challenging to detect and stop.

Organizations must adopt multi-layered defences to combat threats like ToddyCat, maintain visibility into internal assets, and stay informed about the latest threat intelligence. Collaboration between cybersecurity experts and targeted entities is crucial in mitigating the impact of these persistent and evolving threats.