Using a new type of malware, ToddyCat collects data and exfiltrates it into public and legitimate file hosting services.
The advanced APT group ToddyCat first gained attention in December 2020 with serious attacks on companies in Asia and Europe. The main tools included the Ninja Trojan, the Backdoor Samurai and loaders that load malicious payloads onto the affected system. Since then, Kaspersky has been monitoring the APT group using special signatures. One of the signatures was identified on a system; During further research, new ToddyCat tools were discovered.
ToddyCat uses new loader variant
Last year, Kaspersky experts discovered a new generation of loaders developed by ToddyCat. The group persistently tries to refine their attack techniques. The loaders play a crucial role during the infection of the affected system by enabling the deployment of the Ninja Trojan. Contrary to usual procedures, ToddyCat occasionally replaces the standard loader with a variant specifically tailored to the targeted systems. This custom-built loader has a similar functionality, but differs with its unique encryption scheme that takes into account system-specific properties such as drive model and GUID (Global Unique Identifier).
In order to establish itself on affected systems in the long term, ToddyCat relies, among other things, on the creation of a registry key and a suitable service. This causes the malicious code to load at system startup.
Wide range of applied techniques
The investigation also uncovered additional tools and components from the ToddyCat group:
- Ninja, a versatile agent that has features such as process management, file system control, reverse shell sessions, code injection and network traffic forwarding.
- LoFiSe to find specific files
- DropBox Uploader to upload files to Dropbox
- Pcexter to inject archive files into OneDrive
- A passive UDP backdoor for persistence
- The CobaltStrike loader communicates with a specific URL, often before deploying the Ninja Trojan.
ToddyCat's goal is cyber espionage - to achieve this, the group uses a range of tactics, from discovery activities to domain enumeration and lateral movements.
ToddyCat adapts
“ToddyCat doesn’t just break into systems; the group establishes long-term operations to accumulate valuable information over a longer period of time,” explains Giampaolo Dedola, lead security researcher in the global research and analysis team (GReAT) at Kaspersky. “At the same time, the group is adapting to changing conditions in order to remain undetected. Their advanced tactics and adaptability clearly show that this is not just a heist. Organizations must recognize that the threat landscape has evolved and it is no longer just about defense, but about continued vigilance and flexibility. To protect themselves, they need to invest in best-in-class security solutions and have access to the latest threat intelligence.”
More at Kaspersky.de
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/
Matching articles on the topic