Security news that informs and inspires

New ToddyCat APT Targets Exchange Servers

Researchers have identified a relatively new APT group that has been targeting organizations across Asia and Eastern Europe, often targeting Microsoft Exchange servers, and using custom backdoors and post-exploitation toolkits to remain persistent and collect sensitive data.

The group has been active since at least December 2020 but its campaigns have picked up and evolved in recent months. Researchers at Kaspersky dubbed the group ToddyCat and said that the team uses at least two custom pieces of malware, known as Samurai and Ninja, respectively. Samurai, which is a backdoor, was used in the first wave of attacks against Exchange servers and allows for remote administration of compromised servers, as well as code execution. Samurai is sometimes used to install the Ninja malware as the next stage of the intrusion.

“Based on the code logic, it appears that Ninja is a collaborative tool allowing multiple operators to work on the same machine simultaneously. It provides a large set of commands, which allow the attackers to control remote systems, avoid detection and penetrate deep inside a targeted network. Some capabilities are similar to those provided in other notorious post-exploitation toolkits,” the Kaspersky analysis says.

“For example, Ninja has a feature like Cobalt Strike pivot listeners, which can limit the number of direct connections from the targeted network to the remote C2 and control systems without internet access. It also provides the ability to control the HTTP indicators and camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths. This feature provides functionality that reminds us of the Cobalt Strike Malleable C2 profile.”

The initial infection vector that ToddyCat uses isn’t clear, although Kasperksy said the group was using an unknown exploit against the Exchange servers, but later moved to using the ProxyLogon bug. The first stage of the intrusion uses a dropper to load the Samurai backdoor. There is also a DLL loader and a .NET loader. But the end goal is to get the Samurai backdoor onto the server. Samurai has a number of separate modules that can be loaded as needed, including one that exfiltrates data, another that performs remote command execution, and another that enumerates all of the files in a specific path.

"We observed three different high-profile organizations compromised during a similar time frame by ToddyCat and another Chinese-speaking APT group."

“The cumbersome administration of the Samurai backdoor using arguments in this structure suggests that the Samurai backdoor is the server-side component of a bigger solution that includes at least another client component providing an interface for the operators that can be used to automatically upload some predefined modules,” the analysis says.

“Further evidence that enhances this hypothesis is related to the proxy modules, two different C# programs developed to forward TCP packets to arbitrary hosts. The attacker uses these modules to start a connection between a running instance of a Samurai backdoor and a remote host and forward the packets using the backdoor as a proxy. It is probably used to move laterally inside the compromised network.”

The ToddyCat group has targeted organizations in many Asian countries, including Taiwan and Vietnam, as well as targets in India, Iran, Afghanistan, Russia, and the UK. among others. Kaspersky did not attribute the ToddyCat activity to any known actors, but said that there was some overlap with other groups’ activities.

“During our investigations we noticed that ToddyCat victims are related to countries and sectors usually targeted by multiple Chinese-speaking groups. In fact, we observed three different high-profile organizations compromised during a similar time frame by ToddyCat and another Chinese-speaking APT group that used the FunnyDream backdoor,” the analysis says.

“This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we observed the same targets compromised by both APTs in three different countries.”

ToddyCat’s victims are high-profile government and military organizations, which are typically on the target list for many APT groups.