New ToddyCat Hacker Group on Experts’ Radar After Targeting MS Exchange Servers

Cyber Security

An advanced persistent threat (APT) actor codenamed ToddyCat has been linked to a string of attacks aimed at high-profile entities in Europe and Asia since at least December 2020.

The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain.

Other prominent countries targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan, just as the threat actor evolved its toolset over the course of different campaigns.

“The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” Russian cybersecurity company Kaspersky said in a report published today.

“The malware allows arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.”

ToddyCat, also tracked under the moniker Websiic by Slovak cybersecurity firm ESET, first came to light in March 2021 for its exploitation of ProxyLogon Exchange flaws to target email servers belonging to private companies in Asia and a governmental body in Europe.

The attack sequence post the deployment of the China Chopper web shell leads to the execution of a dropper that, in turn, is used to make Windows Registry modifications to launch a second-stage loader, which, for its part, is designed to trigger a third-stage .NET loader that’s responsible for running Samurai.

The backdoor, besides using techniques like obfuscation and control flow flattening to make it resistant to reverse engineering, is modular in that it the components make it possible to execute arbitrary commands and exfiltrate files of interest from the compromised host.

Also observed in specific incidents is a sophisticated tool named Ninja that’s spawned by the Samurai implant and likely functions as a collaborative tool allowing multiple operators to work on the same machine simultaneously.

Its feature similarities to other post-exploitation toolkits like Cobalt Strike notwithstanding, the malware enables the attacker to “control remote systems, avoid detection, and penetrate deep inside a targeted network.”

Despite the fact that ToddyCat victims are related to countries and sectors traditionally targeted by Chinese-speaking groups, there is no evidence tying the modus operandi to a known threat actor.

“ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile,” Kaspersky security researcher Giampaolo Dedola said.

“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests.”