The collective identified as ToddyCat has been observed employing an extensive array of instruments to maintain access to infiltrated environments and pilfer valuable data.
Russian cybersecurity entity Kaspersky characterized the entity as relying on a multitude of applications to harvest data on a “massive scale” primarily from governmental entities, including defense-related organizations, situated in the Asia-Pacific domain.
“In order to accumulate substantial volumes of data from numerous hosts, assailants necessitate automating the data collection process to the greatest extent feasible, and furnishing various alternative means to persistently access and surveil systems they target,” elucidated security researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova.
ToddyCat was initially documented by the firm in June 2022 in connection with a series of cyber intrusions directed towards governmental and military entities across Europe and Asia dating back to at least December 2020. These penetrations made use of a latent backdoor christened Samurai, facilitating remote access to the infiltrated host.
Further scrutiny of the collective’s methodologies has uncovered supplementary data exfiltration instruments such as LoFiSe and Pcexter for data gathering and uploading of archive files to Microsoft OneDrive.
The most recent suite of applications encompasses a fusion of tunneling data acquisition software, deployed subsequent to the attacker having obtained access to privileged user accounts within the compromised system. This comprises of:
SoftEther VPN, masquerading under seemingly benign filenames such as “boot.exe,” “mstime.exe,” “netscan.exe,” and “kaspersky.exe” Ngrok and Krong for encrypting and rerouting command-and-control (C2) traffic to a designated port on the target system FRP client, a rapid reverse proxy built on open-source Golang Cuthead, a .NET compiled executable designed to scan for documents matching specific extensions or filenames, or those modified on a particular date WAExp, a .NET application for capturing data linked to the WhatsApp web application and archiving it, and TomBerBil for extracting cookies and credentials from web browsers such as Google Chrome and Microsoft Edge
“The assailants are actively employing tactics to circumvent defenses in an endeavor to obfuscate their presence within the system,” affirmed Kaspersky.
“To fortify the organization’s infrastructure, we advocate adding the resources and IP addresses of cloud services facilitating traffic tunneling to the firewall denylist. Additionally, users should be mandated to refrain from storing passwords in their browsers, as it aids attackers in accessing sensitive information.”