ToddyCat: an advanced threat actor targets high-profile entities with new malware
Kaspersky researchers reported an ongoing campaign carried out by an advanced persistent threat (APT) group dubbed ToddyCat, which focuses on compromising multiple Microsoft Exchange servers using two malicious programs – Samurai backdoor and Ninja Trojan. The campaign primarily targeted government and military sectors in Europe and Asia.
ToddyCat is a relatively new sophisticated APT group, the activity of which was first detected by Kaspersky researchers in December 2020 when it carried out a number of attacks on the targets’ Microsoft Exchange servers. In February-March 2021, Kaspersky observed a quick escalation as ToddyCat started to abuse the ProxyLogon vulnerability on Microsoft Exchange Servers to compromise multiple organizations across Europe and Asia. Starting from September 2021 the group shifted its attention to desktop machines related to the government and diplomatic entities in Asia. The group constantly updates its arsenal and continues to perform attacks in 2022.
While it is unclear what the initial vector of infection for the latest activities is, the researchers have conducted a thorough analysis of the malware used in the campaigns. ToddyCat employs Samurai Backdoor and Ninja Trojan, two sophisticated cyber-espionage tools designed to penetrate deeply in targeted networks, whilst persistently maintaining stealth.
Samurai is a modular backdoor, is a final stage component of the attack that allows the attacker to administrate the remote system and move laterally within the compromised network. This malware stands out because it uses multiple control flow and case statements to jump between instructions, that makes it hard to track the order of actions in the code. Moreover, it is used to launch another new malware dubbed Ninja Trojan, a complex collaborative tool that allows multiple operators to work on the same machine simultaneously.
Ninja Trojan also provides a large set of commands, which allows the attackers to control remote systems while avoiding detection. It is usually loaded into the memory of a device and launched by various loaders. The Ninja Trojan starts the operation by retrieving configuration parameters from the encrypted payload, and then deeply infiltrates a compromised network. The capabilities of the malware include managing file systems, starting reverse shells, forwarding TCP packets and even taking control of the network in specific timeframes, which can be dynamically configured using a specific command.
The malware also resembles some other well-known post-exploitation frameworks, such as CobaltStrike, with Ninja’s features allowing it to limit the number of direct connections from the targeted network to the remote command and control systems without internet access. In addition, it can control HTTP indicators and camouflage the malicious traffic in HTTP requests making them appear legitimate by modifying HTTP header and URL paths. These capabilities make Ninja Trojan particularly stealthy.
“ToddyCat is a sophisticated threat actor with elevated technical skills, which is able to fly under-the-radar and make its way into the top-level organizations. Despite the number of loaders and attacks discovered during the last year, we still don’t have complete visibility of their operations and tactics. Another noteworthy characteristic of ToddyCat is its focus on advanced malware capabilities – Ninja Trojan got its name for a reason – it is hard to detect and, therefore, hard to stop. The best way to face this kind of threat is to use multi-layer defenses, which provide information on internal assets and stay up-to-date with the latest threat intelligence,” comments Giampaolo Dedola, security expert at Kaspersky.
To learn more about ToddyCat, its techniques, and ways to protect your network from their attacks, read the report on Securelist.