Advanced Persistent Threat (APT) group known as toddy cat collects data at industrial scale from government and defense targets in the Asia-Pacific region.
Kaspersky researchers tracking the campaign reported this week that the attackers are using multiple simultaneous connections to the victim environment to maintain persistence and steal data from the victim environment. They also use ToddyCat (which is Palm civet) to enable data collection from the victim's system and browser.
Multiple traffic tunnels in the ToddyCat cyberattack
“Implementing multiple tunnels to infected infrastructure with different tools [the] “Even if one of the tunnels is discovered and removed, the attacker can maintain access to the system,” Kaspersky security researchers said in the article. This week's blog post. “By ensuring constant access to our infrastructure, [the] An attacker can perform reconnaissance and connect to remote hosts. ”
ToddyCat is likely a Chinese-speaking attacker, and Kaspersky Lab has been able to link it to attacks dating back to at least December 2020. In its early stages, the group appeared to focus only on a few organizations in Taiwan and Vietnam.However, threat actors ProxyLogon vulnerability Kaspersky Lab believes that ToddyCat may have been among the group of attackers targeting the ProxyLogon vulnerability before February 2021, but has not yet found evidence to support this speculation. says.
2022, Kaspersky report Find the ToddyCat actor using Two sophisticated new malware tools The group, known as Samurai and Ninja, distributed China Chopper, the famous generic web shell used in the Microsoft Exchange Server attack, to the systems of victims in Asia and Europe.
Maintaining persistent access, fresh malware
Kaspersky's latest investigation into ToddyCat activity reveals that threat actors' tactics to maintain persistent remote access to compromised networks include establishing multiple tunnels into the network using a variety of tools. It turns out that there is. This includes using reverse SSH tunnels to access remote network services. We use SoftEther VPN, an open source tool that allows his VPN connections via OpenVPN, L2TP/IPSec, and other protocols. A lightweight agent (Ngrok) is used to redirect command and control from an attacker-controlled cloud infrastructure to a target host in a victim environment.
In addition, Kaspersky researchers found that ToddyCat attackers used high-speed reverse proxy clients to gain access to servers behind firewalls or network address translation (NAT) mechanisms from the Internet. did.
Kaspersky Lab's research also found that attackers are using at least three new tools in their data collection campaigns. One of his pieces is malware, which Kaspersky has dubbed “Cuthead,” which allows ToddyCat to search for files with specific extensions or words on victim networks and store them in archives.
Another new tool that Kaspersky discovered that ToddyCat is using is “WAExp.” The malware's job is to search and collect browser data from the web version of WhatsApp.
“For users of the WhatsApp web app, the browser's local storage stores profile details, chat data, the chatter's phone number, and current session data,” Kaspersky researchers said. Using WAExp, an attacker can access this data by copying the file to the browser's local storage, his security vendor noted.
Meanwhile, the third tool is called “TomBerBil” and allows ToddyCat attackers to steal passwords from Chrome and Edge browsers.
“We considered several tools that would allow attackers to maintain access to a target's infrastructure and automatically search for and collect data of interest,” Kaspersky said. “Advertisers are actively using techniques to evade defenses in order to hide their presence within the system.”
Security vendors recommend that organizations block the IP addresses of cloud services that provide traffic tunneling and limit the tools administrators can use to remotely access hosts. Organizations should also remove or carefully monitor unused remote access tools in their environments and encourage users not to save passwords in their browsers, Kaspersky said.