The advanced persistent threat (APT) group ToddyCat has been linked to a new set of malicious tools designed for data exfiltration. Kaspersky, the cybersecurity firm, first identified ToddyCat last year and connected it to attacks against high-profile entities in Europe and Asia. The group’s arsenal includes the Ninja Trojan and a backdoor called Samurai, but further investigation uncovered additional malicious software developed and maintained by ToddyCat. These tools allow the group to achieve persistence, conduct file operations, and load additional payloads. ToddyCat has also been observed using custom scripts, Cobalt Strike, and compromised domain admin credentials for its espionage activities.
Kaspersky found that ToddyCat uses a collection of loaders that launch the Ninja Trojan as a second stage. They also use a tool called LoFiSe to find and collect files, a DropBox uploader to save stolen data, and Pcexter to exfiltrate archive files to Microsoft OneDrive. The group also makes use of custom scripts for data collection, a passive backdoor that receives commands with UDP packets, and compromised domain admin credentials to move laterally within a network.
Check Point recently revealed that government and telecom entities in Asia have been targeted in an ongoing campaign since 2021. This campaign uses various disposable malware to evade detection and deliver next-stage malware. The infrastructure used in this campaign overlaps with that used by ToddyCat.
Overall, ToddyCat is a persistent threat actor that has been active for nearly three years, targeting high-profile entities in Europe and Asia. They have an extensive arsenal of malicious tools and use various techniques for data exfiltration and lateral movement within compromised networks.
Source link