October 11, 2023 at 05:23PM
Chinese APT group “ToddyCat” is using simple but constantly evolving custom backdoors and loaders to target telecommunications organizations in Central and Southeast Asia. The group, previously linked to Chinese espionage operations, uses spear phishing emails with archive files to exploit a DLL sideloading vulnerability. While the malware used by ToddyCat is basic, it is difficult to detect and adjust to specific targets. Defense against this group requires a layered approach, including proper email protection and endpoint detection and response.
Key takeaways from the meeting notes:
1. ToddyCat is a Chinese advanced persistent threat (APT) group that has been compromising telecommunications organizations in Central and Southeast Asia.
2. ToddyCat is known for using custom-developed, yet simple, backdoors and loaders.
3. The group has been active since at least 2020 and has recently been linked with Chinese espionage operations.
4. ToddyCat’s latest campaign, called “Stayin’ Alive,” involves spear phishing emails with archive files that exploit a DLL sideloading vulnerability.
5. The loaders and downloaders used by ToddyCat have basic functionality but are sufficient for achieving initial goals, such as gathering information about infected machines and executing commands.
6. ToddyCat’s use of simple tools makes it harder to detect and adjust them to specific targets.
7. Each of ToddyCat’s malware samples has zero discernible overlap with known malware families or previous samples, indicating a constant evolution and discarding of old samples.
8. Despite the evasive tactics, ToddyCat’s command-and-control infrastructure can be traced back to its activities.
9. To defend against ToddyCat and similar threats, a layered approach is recommended, including proper email protection and endpoint detection and response (EDR) endpoints.