Cyber Attack

ToddyCat Hacker Group Uses Advanced Tools for Industrial-Scale Data Theft

By root

Posted on April 22, 2024

The threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data.

Russian cybersecurity firm Kaspersky characterized the adversary as relying on various programs to harvest data on an “industrial scale” from primarily governmental organizations, some of them defense related, located in the Asia-Pacific region.

“To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack,” security researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova said.

ToddyCat was first documented by the company in June 2022 in connection with a series of cyber attacks aimed at government and military entities in Europe and Asia since at least December 2020. These intrusions leveraged a passive backdoor dubbed Samurai that allows for remote access to the compromised host.

A closer examination of the threat actor’s tradecraft has since uncovered additional data exfiltration tools like LoFiSe and Pcexter to gather data and upload archive files to Microsoft OneDrive.

The latest set of programs entail a mix of tunneling data gathering software, which are put to use after the attacker has already obtained access to privileged user accounts in the infected system. This includes –

Reverse SSH tunnel using OpenSSH

SoftEther VPN, which is renamed to seemingly innocuous files like “boot.exe,” “mstime.exe,” “netscan.exe,” and “kaspersky.exe”

Ngrok and Krong to encrypt and redirect command-and-control (C2) traffic to a certain port on the target system

FRP client, an open-source Golang-based fast reverse proxy

Cuthead, a .NET compiled executable to search for documents matching a specific extension or a filename, or the date when they are modified

WAExp, a .NET program to capture data associated with the WhatsApp web app and save it as an archive, and

TomBerBil to extract cookies and credentials from web browsers like Google Chrome and Microsoft Edge

Maintaining multiple simultaneous connections from the infected endpoints to actor-controlled infrastructure using different tools is seen as a fallback mechanism and a way to retain access in cases where one of the tunnels is discovered and taken down.

“The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system,” Kaspersky said.

“To protect the organization’s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information.”

Related Items:Cloud security, Cyber Defense, Cyber-Attack, cybersecurity, data harvesting

MrHacker

Latest News

Millions of Malicious ‘Imageless’ Containers Planted on Docker Hub Over 5 Years

New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024

Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Links

Pin It on Pinterest