New ToddyCat Hacker Group On Expert Radar After Targeting MS Exchange Servers

An advanced persistent threat (APT) actor named ToddyCat is linked to a series of attacks targeting high-profile entities in Europe and Asia since at least December 2020.

The relatively new adversarial collective reportedly began its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit for the China Chopper web shell and activating a multi-step chain of infection.

Among other prominent countries targeted describing Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, UK and Uzbekistan, much like the threat actor has had his toolset evaluated during different campaigns.



“The first wave of attacks exclusively targeted Microsoft Exchange servers, which were compromised with Samurai, a smart passive backdoor that typically operates on ports 80 and 443,” said Russian cybersecurity firm Kaspersky. one said in a report released today.

“The malware allows arbitrary execution of C# code and is used with several modules that allow the attacker to administer the remote system and move laterally inside the targeted network.”

ToddyCat, also tracked as Websiic by Slovak cybersecurity firm ESET, was first exposed in March 2021 for exploiting ProxyLogon Exchange flaws to target mail servers belonging to private companies in Asia and a government agency in Europe.

The post-deployment attack sequence of the China Chopper web shell leads to the execution of a dropper which, in turn, is used to make changes to the Windows registry to launch a second-stage loader, which, as for it, is designed to provide a third-level .NET loader responsible for running Samurai.

The backdoor, in addition to using techniques such as control flow obfuscation and flattening to make it resistant to reverse engineering, is modular in that its components allow arbitrary commands to be executed and exfiltrate files of interest from the compromised host.

An advanced tool named Ninja, created by the Samurai Implant and likely as a collaborative tool allowing multiple operators to work simultaneously on the same machine, has also been observed in specific incidents.

Despite its similarities to other post-exploitation toolkits like Cobalt Strike, the malware allows the attacker to “control remote systems, evade detection, and penetrate a targeted network.”

Despite the fact that ToddyCat victims are linked to countries and sectors traditionally targeted by Chinese-speaking groups, there is no evidence regarding the modus operandi to any known threat actor.

“ToddyCat is a sophisticated APT group that uses several techniques to avoid detection and thus keeps a low profile,” said Giampaolo Dedola, security researcher at Kaspersky.

“Relevant organizations, both government and military, demonstrate that this group focuses on high-profile targets and is likely used to achieve critical objectives, likely related to geopolitical interests.

Similar Posts

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.