Article Details
Scrape Timestamp (UTC): 2023-10-13 11:56:07.104
Source: https://thehackernews.com/2023/10/researchers-unveil-toddycats-new-set-of.html
Original Article Text
Click to Toggle View
Researchers Unveil ToddyCat's New Set of Tools for Data Exfiltration. The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew's tactics and capabilities. The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years. While the group's arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime. This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrive. ToddyCat has also been observed utilizing custom scripts for data collection, a passive backdoor that receives commands with UDP packets, Cobalt Strike for post-exploitation, and compromised domain admin credentials to facilitate lateral movement to pursue its espionage activities. "We observed script variants designed solely to collect data and copy files to specific folders, but without including them in compressed archives," Kaspersky said. "In these cases, the actor executed the script on the remote host using the standard remote task execution technique. The collected files were then manually transferred to the exfiltration host using the xcopy utility and finally compressed using the 7z binary." The disclosure comes as Check Point revealed that government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 using a wide variety of "disposable" malware to evade detection and deliver next-stage malware. The activity, per the cybersecurity firm, relies on infrastructure that overlaps with that used by ToddyCat.
Daily Brief Summary
Researchers from Kaspersky have connected the advanced persistent threat (APT) group, ToddyCat, to a suite of new tools intended for data exfiltration, expanding understanding of their capability and techniques.
A follow-up investigation into the group, which was pinpointed last year as behind attacks against high-profile targets in Europe and Asia over a three-year period, unravelled a set of malicious software designed for persistence, file operations, and loading extra payloads at runtime.
Kaspersky identified a series of loaders capable of initiating the Ninja Trojan as a second stage, a tool called LoFiSe for locating and gathering files of interest, an uploader for storing stolen data to Dropbox, and Pcexter for transferring archive files to Microsoft OneDrive.
ToddyCat also reportedly employs custom scripts for data collection, a passive backdoor that takes commands via UDP packets, Cobalt Strike for post-exploitation phases, and breached domain admin credentials to enable lateral movement to further its spying activities.
Check Point, in a related reveal, disclosed that select government and telecom units in Asia have been targeted by an ongoing campaign since 2021, using a broad range of "disposable" malware for avoiding detection and distributing subsequent-stage malware. The said activity is said to utilise infrastructure that overlaps with ToddyCat's.