ToddyCat, an advanced persistent threat (APT) actor known for its targeted attacks in Europe and Asia, has recently upgraded its tools and methods, indicating a shift in its modus operandi. According to cybersecurity researchers at SecureList by Kaspersky, ToddyCat is actively exploiting vulnerable Microsoft Exchange servers.
The researchers have identified several key developments in ToddyCat’s operations. Firstly, the group has acquired a new toolset which includes standard loaders, a tailored loader, Ninja, LoFiSe, DropBox uploader, Pcexter, Passive UDP backdoor, and CobaltStrike. These tools enable the threat actors to infiltrate networks and conduct their espionage activities.
Once inside the target network, ToddyCat deploys loaders and Trojans to collect data about connected hosts. They also engage in discovery activities, such as enumerating domain accounts and servers using standard OS utilities like net and ping. Attackers frequently change their credentials and use scheduled tasks that run briefly and are then removed, along with network shares, for each targeted host. These tasks may include discovery commands or scripts for data collection. To access the output from these tasks, the attacker mounts a remote drive as a local share during lateral movement.
To avoid detection, ToddyCat duplicates PowerShell commands from PS1 scripts in BAT scripts. The group also employs common task names like ‘one’ and ‘tpcd’ for a session, while script names are randomly generated keyboard characters. At the end of their activity, the threat actors mount and delete a temporary share on the exfiltration host. This ensures that their actions go unnoticed.
In terms of data collection, ToddyCat utilizes the LoFiSe tool, which is designed for file collection. Additionally, they use other scripts to enumerate and collect recently modified documents with specific extensions. Unlike some other threat actors, ToddyCat does not use compressed archives for data collection. Instead, files are copied to specific folders and manually transferred to the exfiltration host via xcopy. They are then compressed with 7z before being exfiltrated via public storage.
The researchers have also identified a number of indicators of compromise (IOCs) associated with ToddyCat’s operations. These include various loaders, passive UDP backdoors, a Dropbox exfiltrator, LoFiSe, Pcexter, and a dropper. By monitoring for these IOCs, organizations can detect and prevent attacks from the ToddyCat APT group.
Given ToddyCat’s ongoing exploitation of vulnerable Microsoft Exchange servers, it is crucial for organizations to prioritize security measures to defend against such attacks. Implementing AI-powered email security solutions, such as Trustifi, can help protect businesses from today’s most dangerous email threats, including those exploited by ToddyCat. Additionally, organizations should ensure they have up-to-date patch management systems in place to quickly address any vulnerabilities.
By staying vigilant and proactive in their cybersecurity practices, businesses can mitigate the risks posed by advanced persistent threat groups like ToddyCat. It is essential to continually assess and enhance security measures in order to stay one step ahead of these evolving threats.