Kaspersky, a Russian cybersecurity firm, says the gang uses multiple separate tools to extract data on an “industrial scale” from government organisations, including defence focused companies, located in the Asia-Pacific region.
ToddyCat is thought to be a Chinese threat group.
“During the observation period, we noted that this group stole data on an industrial scale. To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack,” said security researchers Andrey Gunkin, Alexander Fedotov and Natalya Shornikova.
The company first identified ToddyCat in June 2022 after a series of cyberattacks aimed at government and military organisations in Europe and Asia dating from December 2020. These attacks used a passive backdoor that permitted remote access to the compromised victim.
Analysis of the group’s methodology led the researchers to discover additional data exfiltration tools used by ToddyCat, including LoFiSe and Pcexter, which are used to gather data and upload files to Microsoft OneDrive.
The anatomy of a typical attack is as follows, according to the researchers.
● Launch a reverse SSH tunnel using OpenSSH
● Open a tunnel using SoftEther VPN, renamed to seem like an innocuous file
● Alternatively tunnel to a cloud provider using Ngrok and Krong to encrypt and redirect command-and-control (C2) traffic to a certain port on the target system
● Install FRP client, a reverse proxy
● Use Cuthead, a .NET compiled tool to search for documents matching a specific extension, filename, or modification date
● Deploy WAExp, a .NET program to capture data associated with the WhatsApp web app and save it as an archive
● Finally, a program called TomBerBil may be used to extract cookies and credentials from web browsers like Google Chrome and Microsoft Edge and to steal passwords
“The attackers are actively using techniques to bypass defences in an attempt to mask their presence in the system,” said the Kaspersky researchers.
“To protect the organisation’s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunnelling. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information.”
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
