April 22, 2024 at 05:20PM
ToddyCat, an APT group, collects data on an industrial scale from government and defense targets in the Asia-Pacific region. They use multiple simultaneous connections to steal data and maintain access, and have links to attacks going back to at least December 2020. Kaspersky recommends specific actions for organizations to protect against these cyberattacks.
From the meeting notes, we can extract the following key points about the ToddyCat APT group:
1. The group is targeting government and defense targets in the Asia-Pacific region and is collecting data on an industrial scale.
2. ToddyCat is using multiple simultaneous connections into victim environments to maintain persistence and steal data. They have recently developed new tools to enable data collection from victim systems and browsers.
3. Kaspersky researchers revealed that ToddyCat is likely a Chinese-language speaking threat actor and has been linked to attacks dating back to at least December 2020. They suspect that the group was already targeting the ProxyLogon vulnerabilities in Microsoft Exchange Server even before February 2021.
4. Kaspersky reported that ToddyCat actors are using new sophisticated malware tools named Samurai and Ninja to distribute China Chopper, a well-known web shell used in the Microsoft Exchange Server attacks.
5. The group is using various tactics to maintain persistent remote access, including establishing multiple tunnels to compromised networks using different tools.
6. Kaspersky found ToddyCat using at least three new tools in its data-collection campaign: “Cuthead” to search for specific files on victim networks, “WAExp” to collect browser data from the Web version of WhatsApp, and “TomBerBil” to steal passwords from Chrome and Edge browsers.
7. Kaspersky recommends organizations to block IP addresses of cloud services that provide traffic tunneling, limit remote access tools, and encourage users not to store passwords in their browsers.
These are the main takeaways from the meeting notes regarding the ToddyCat APT group’s activities and the recommended actions to mitigate their threats.