ToddyCat APT actor targets high-profile entities
An ongoing campaign by an advanced persistent threat (APT) group called ToddyCat, has been discovered by Kaspersky researchers.
The campaign aims to compromise multiple Microsoft Exchange servers using two malicious programs, namely Samurai backdoor and Ninja Trojan – two sophisticated cyber-espionage tools designed to penetrate deeply in targeted networks, whilst persistently maintaining stealth.
The campaign is mostly targeting government and military sectors in Europe and Asia.
ToddyCat is a relatively new, sophisticated APT group, first detected by Kaspersky researchers in December 2020 when it carried out a number of attacks on targets’ Microsoft Exchange servers.
Between February and March last year, the company noted a quick escalation as the group began to abuse the ProxyLogon vulnerability on Microsoft Exchange Servers to compromise multiple organisations. Starting from September, the group shifted its focus to desktop machines belonging to government and diplomatic organisations in Asia.
However, ToddyCat is constantly updating its arsenal and continues to carry out attacks this year.
Complex, collaborative tools
Although the initial vector of infection for its latest activities is unclear, researchers have conducted a thorough analysis of the malware employed in the campaigns.
Samurai, a modular backdoor, is the final stage component of the attack that enables the bad actor to administrate the remote system and move laterally within the compromised network.
This malware stands out because it uses multiple control flow and case statements to jump between instructions, making it hard to track the order of actions in the code.
Moreover, it is used to launch another new malware dubbed Ninja Trojan, a complex collaborative tool that allows multiple operators to work on the same machine simultaneously, the company explains.
In addition, Ninja Trojan provides a large set of commands, which enables the threat actors to control remote systems while avoiding detection.
It is usually loaded into the memory of a device and is launched by various loaders. It then starts the operation by retrieving configuration parameters from the encrypted payload, and deeply infiltrates the compromised network.
The malware has the ability to manage file systems, start reverse shells, forward TCP packets and even take control of the network in specific timeframes, which can be dynamically configured using a specific command.
The malware bears some resemblance to other well-known post-exploitation frameworks, such as CobaltStrike, with Ninja’s features allowing it to limit the number of direct connections from the targeted network to the remote command and control systems without Internet access.
It can control HTTP indicators and camouflage the malicious traffic in HTTP requests making them appear legitimate by modifying HTTP header and URL paths, making it particularly stealthy.
Flying under the radar
Giampaolo Dedola, a security expert at Kaspersky, describes ToddyCat as a sophisticated threat actor with elevated technical skills, which is able to fly under-the-radar and infiltrate top-level organisations.
“Despite the number of loaders and attacks discovered during the last year, we still don’t have complete visibility of their operations and tactics. Another noteworthy characteristic of ToddyCat is its focus on advanced malware capabilities – Ninja Trojan got its name for a reason – it is hard to detect and, therefore, hard to stop,” he adds.
The best way to fight this type of threat is to use multi-layer defences, which provide information on internal assets and stay up-to-date with the latest threat intelligence, Dedola ends.