ToddyCat APT Is Stealing Data on Industrial Scale

  /     /     /  
Publicated : 23/11/2024   Category : security


ToddyCat APT Is Stealing Data on Industrial Scale


The threat actor is deploying multiple connections into victim environments to maintain persistence and steal data.



An advanced persistent threat (APT) group
known as ToddyCat
is collecting data on an industrial scale from government and defense targets in the Asia-Pacific region.
Researchers from Kaspersky tracking the campaign described the threat actor this week as using multiple simultaneous connections into victim environments to maintain persistence and to steal data from them. They also discovered a set of new tools that ToddyCat (which is a common name for the
Asian palm civet
) is using to enable data collection from victim systems and browsers.
Having several tunnels to the infected infrastructure implemented with different tools allow [the] attackers to maintain access to systems even if one of the tunnels is discovered and eliminated, Kaspersky security researchers said in a
blog post this week
. By securing constant access to the infrastructure, [the] attackers are able to perform reconnaissance and connect to remote hosts.
ToddyCat is a likely Chinese-language speaking threat actor that Kaspersky has been able to link to attacks going back to at least December 2020. In its initial stages, the group appeared focused on just a small number of organizations in Taiwan and Vietnam. But the threat actor quickly ramped up attacks following the public disclosure of the so-called
ProxyLogon vulnerabilities
in Microsoft Exchange Server in February 2021. Kaspersky believes ToddyCat might have been among a group of threat actors that targeted the ProxyLogon vulnerabilities even prior to February 2021, but says it has not found evidence yet to back up that conjecture.  
In 2022, Kaspersky
reported
finding ToddyCat actors using
two sophisticated new malware tools
dubbed Samurai and Ninja to distribute China Chopper — a well-known commodity Web shell used in the Microsoft Exchange Server attacks — on systems belonging to victims in Asia and Europe.
Kasperskys latest investigation into ToddyCats activities showed the threat actors tactic to maintain persistent remote access to a compromised network is to establish multiple tunnels to it using different tools. These include using a reverse SSH tunnel to gain access to remote network services; using SoftEther VPN, an open source tool that enables VPN connections via OpenVPN, L2TP/IPSec, and other protocols; and using a lightweight agent (Ngrok) to redirect command-and-control from an attacker-controlled cloud infrastructure to target hosts in the victim environment.
In addition, Kaspersky researchers found ToddyCat actors to be using a fast reverse proxy client to enable access from the Internet to servers behind a firewall or network address translation (NAT) mechanism.
Kasperskys investigation also showed the threat actor using at least three new tools in its data-collection campaign. One of them is malware that Kaspersky had dubbed Cuthead that allows ToddyCat to search for files with specific extensions or words on the victim network, and to store them in an archive.
Another new tool that Kaspersky found ToddyCat using is WAExp. The malwares task is to search for and collect browser data from the Web version of WhatsApp. 
For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data, Kaspersky researchers said. WAExp allows the attacks to gain access to this data by copying the browsers local storage files, the security vendor noted.  
The third tool meanwhile is dubbed TomBerBil, and allows ToddyCat actors to steal passwords from Chrome and Edge browsers.
We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest, Kaspersky said. The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.
The security vendor recommends that organizations block IP addresses of cloud services that provide traffic tunneling and limit the tools that administrators can use to access hosts remotely. Organizations also need to either remove or closely monitor any unused remote access tools in the environment and encourage users not to store passwords in their browsers, Kaspersky said.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ToddyCat APT Is Stealing Data on Industrial Scale