Carding 4 Carders
Professional
For more than a year and a half, a previously unknown group has targeted high-status victims, including government organizations, military departments, and arms contractors.
Todd's operations are characterized by the use of the Samurai backdoor and the Ninja Trojan, two previously unknown malware strains that provide attackers with complete remote control over infected systems.
The first ToddyCat attacks were recorded in December 2020 and focused on the servers of three organizations in Taiwan and Vietnam using an unknown exploit.
Later, from February to May 2021, the company refocused on a number of other targets in Europe and Asia, including Russia, India, Iran, and the United Kingdom, this time exploiting Microsoft Exchange's ProxyLogon vulnerabilities for initial access.
In the next phase, through February 2022, ToddyCat targeted the same cluster of countries, adding organizations from Indonesia, Uzbekistan, and Kyrgyzstan to the list.
The group was seen exploiting the ProxyLogon vulnerability to target organizations in Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, and Uzbekistan. At the same time, since September 2021, ART has targeted desktop systems in Central Asia with a new set of loaders for the Ninja Trojan.
On compromised machines, hackers deployed the China Chopper web shell, which, in turn, was used to launch a multi-stage chain of infection.
To gain access to vulnerable Exchange servers, ToddyCat used a passive Samurai backdoor, which usually runs on ports 80 and 443, supports arbitrary code execution, and is used with several modules that allow you to manage the server and navigate within the target network.
Thanks to its modular architecture, the malware allowed attackers to remotely control the infected machine, extract files, run proxy connections, and perform lateral movement. The backdoor uses obfuscation and other methods of hiding from detection and detection.
In some cases, the backdoor was used to launch the Ninja Trojan, which may have been part of an unknown exclusive ToddyCat post-exploitation toolkit.
The malware loaded into memory functions as a collaboration tool that allows multiple operators to simultaneously control a compromised machine, providing support for a wide range of commands.
Malware is also able to manage running processes, manage the file system, launch reverse shell sessions, inject code, and load additional modules, including proxies.
Ninja supports communication over multiple protocols and implements detection protection. An interesting feature of the Trojan is the function of setting the time of active activity, setting intervals to prevent its detection.
The resellers do not associate Toddycat with other APT groups, but they do point out that their target matches the traditional objects of interest of Chinese actors.
Moreover, Kaspersky Lab discovered that a pro-Chinese APT program using the FunnyDream backdoor hacked 3 organizations at the same time as ToddyCat, which is not surprising given the high status of victims who are of interest to many groups.
Toddycat is a fairly professional and complex APT. Kaspersky Lab was able to thoroughly study the full infection chain or later stages of malware of the identified campaigns, unlike ESET and Vietnam's GTSC, whose reports are limited to the infection vector and deployment of the first dropper.
All details and indicators of compromise (IOC) of ToddyCat can be found in the Lab report.
+++
Researchers report that the group is improving its methods of conducting attacks and evading detection. With the help of a new set of malware, hackers collect victims ' files of interest and upload them to public and legitimate hosting services.
Last summer, Kaspersky Lab analysts reported on the discovery of the Toddycat hack group, which has been active since at least 2020 and has carried out numerous attacks on high-ranking organizations in Europe and Asia.
Then experts described the main tools of hackers, including the Ninja Trojan, the Samurai backdoor, as well as the loaders for launching them. However, a new report released this week states that a new generation of bootloaders developed by ToddyCat was discovered last year. This indicates that the group continues to improve its methods.
The detected malware plays a key role at the infection stage, ensuring the deployment of the Ninja Trojan mentioned above. In some cases, ToddyCat replaces standard boot loaders with a special Tailored version (adaptive loader) designed for specific systems. It has a unique encryption scheme that takes into account system-specific attributes, such as the disk model and volume GUID path.
To gain a foothold in compromised systems, attackers use various techniques, including creating a registry key and the corresponding service. This allows them to download malicious code at system startup, and reminds them of the methods used by the group in the Samurai backdoor. For example, it allows attackers to hide malware in the address space svchost.exe.
During the investigation, Kaspersky Lab experts discovered additional tools and components used by ToddyCat, including the updated Ninja-a universal agent with functions for managing processes, the file system, running reverse shell, code injection, and redirecting network traffic.
The latest version of Ninja supports the same commands that were described in the previous report, but with a different configuration. So, if in the previous version the embedded configuration was obfuscated using the 0xAA XOR key, then in the new version the binary NOT operation is used for the same purpose.
It is also reported that hackers still use LoFiSe (to search for certain files in the victim's systems), DropBox Uploader (to upload data to Dropbox), Pcexter (to upload archive files to the OneDrive cloud), passive UDP-Backdoor (to ensure a long-term presence in the system), and CobaltStrike (as a backup service). the initial loader, after which Ninja is often deployed).
"Instead of just hacking into systems, Toddycat performs well-thought-out sequential actions to collect valuable data over a long period of time, adapting to new conditions in order to remain unnoticed. Their advanced tactics and constant adaptation to changes indicate that these are not just sudden and short-term attacks, but a long-term campaign," comments Igor Kuznetsov, head of the Russian research center at Kaspersky Lab.
Todd's operations are characterized by the use of the Samurai backdoor and the Ninja Trojan, two previously unknown malware strains that provide attackers with complete remote control over infected systems.
The first ToddyCat attacks were recorded in December 2020 and focused on the servers of three organizations in Taiwan and Vietnam using an unknown exploit.
Later, from February to May 2021, the company refocused on a number of other targets in Europe and Asia, including Russia, India, Iran, and the United Kingdom, this time exploiting Microsoft Exchange's ProxyLogon vulnerabilities for initial access.
In the next phase, through February 2022, ToddyCat targeted the same cluster of countries, adding organizations from Indonesia, Uzbekistan, and Kyrgyzstan to the list.
The group was seen exploiting the ProxyLogon vulnerability to target organizations in Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, and Uzbekistan. At the same time, since September 2021, ART has targeted desktop systems in Central Asia with a new set of loaders for the Ninja Trojan.
On compromised machines, hackers deployed the China Chopper web shell, which, in turn, was used to launch a multi-stage chain of infection.
To gain access to vulnerable Exchange servers, ToddyCat used a passive Samurai backdoor, which usually runs on ports 80 and 443, supports arbitrary code execution, and is used with several modules that allow you to manage the server and navigate within the target network.
Thanks to its modular architecture, the malware allowed attackers to remotely control the infected machine, extract files, run proxy connections, and perform lateral movement. The backdoor uses obfuscation and other methods of hiding from detection and detection.
In some cases, the backdoor was used to launch the Ninja Trojan, which may have been part of an unknown exclusive ToddyCat post-exploitation toolkit.
The malware loaded into memory functions as a collaboration tool that allows multiple operators to simultaneously control a compromised machine, providing support for a wide range of commands.
Malware is also able to manage running processes, manage the file system, launch reverse shell sessions, inject code, and load additional modules, including proxies.
Ninja supports communication over multiple protocols and implements detection protection. An interesting feature of the Trojan is the function of setting the time of active activity, setting intervals to prevent its detection.
The resellers do not associate Toddycat with other APT groups, but they do point out that their target matches the traditional objects of interest of Chinese actors.
Moreover, Kaspersky Lab discovered that a pro-Chinese APT program using the FunnyDream backdoor hacked 3 organizations at the same time as ToddyCat, which is not surprising given the high status of victims who are of interest to many groups.
Toddycat is a fairly professional and complex APT. Kaspersky Lab was able to thoroughly study the full infection chain or later stages of malware of the identified campaigns, unlike ESET and Vietnam's GTSC, whose reports are limited to the infection vector and deployment of the first dropper.
All details and indicators of compromise (IOC) of ToddyCat can be found in the Lab report.
+++
Researchers report that the group is improving its methods of conducting attacks and evading detection. With the help of a new set of malware, hackers collect victims ' files of interest and upload them to public and legitimate hosting services.
Last summer, Kaspersky Lab analysts reported on the discovery of the Toddycat hack group, which has been active since at least 2020 and has carried out numerous attacks on high-ranking organizations in Europe and Asia.
Then experts described the main tools of hackers, including the Ninja Trojan, the Samurai backdoor, as well as the loaders for launching them. However, a new report released this week states that a new generation of bootloaders developed by ToddyCat was discovered last year. This indicates that the group continues to improve its methods.
The detected malware plays a key role at the infection stage, ensuring the deployment of the Ninja Trojan mentioned above. In some cases, ToddyCat replaces standard boot loaders with a special Tailored version (adaptive loader) designed for specific systems. It has a unique encryption scheme that takes into account system-specific attributes, such as the disk model and volume GUID path.
To gain a foothold in compromised systems, attackers use various techniques, including creating a registry key and the corresponding service. This allows them to download malicious code at system startup, and reminds them of the methods used by the group in the Samurai backdoor. For example, it allows attackers to hide malware in the address space svchost.exe.
During the investigation, Kaspersky Lab experts discovered additional tools and components used by ToddyCat, including the updated Ninja-a universal agent with functions for managing processes, the file system, running reverse shell, code injection, and redirecting network traffic.
The latest version of Ninja supports the same commands that were described in the previous report, but with a different configuration. So, if in the previous version the embedded configuration was obfuscated using the 0xAA XOR key, then in the new version the binary NOT operation is used for the same purpose.
It is also reported that hackers still use LoFiSe (to search for certain files in the victim's systems), DropBox Uploader (to upload data to Dropbox), Pcexter (to upload archive files to the OneDrive cloud), passive UDP-Backdoor (to ensure a long-term presence in the system), and CobaltStrike (as a backup service). the initial loader, after which Ninja is often deployed).
"Instead of just hacking into systems, Toddycat performs well-thought-out sequential actions to collect valuable data over a long period of time, adapting to new conditions in order to remain unnoticed. Their advanced tactics and constant adaptation to changes indicate that these are not just sudden and short-term attacks, but a long-term campaign," comments Igor Kuznetsov, head of the Russian research center at Kaspersky Lab.
