Saturday, February 8, 2025
HomeCVE/vulnerabilityToddyCat APT Abuses SMB, Exploits IKEEXT A Exchange RCE To Deploy ICMP...

ToddyCat APT Abuses SMB, Exploits IKEEXT A Exchange RCE To Deploy ICMP Backdoor

Published on

SIEM as a Service

Follow Us on Google News

ToddyCat is an APT group that has been active since December 2020, and primarily it targets the government and military entities in Europe and Asia. 

The group is known for its sophisticated cyber-espionage tactics and has been involved in multiple high-profile attacks.

Cybersecurity researchers at Kaspersky Lab identified that ToddyCat APT group has been abusing the SMB, exploiting IKEEXT and Exchange RCE to deploy ICMP backdoor.

ToddyCat APT Abuses SMB

In the year 2023, Kaspersky GERT investigated one of the largest internal frauds in a government organization.

Threat actors used an internal service to carry out several fraudulent operations leading to losses of well over 20 million dollars.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Insider fraud attack (Source – Securelist)

GERT’s digital forensics and incident response (DFIR) analysis revealed multiple attack vectors like:-

  • A vulnerability in a debugging interface that allowed cookie theft for user impersonation, identified through exception logging analysis.
  • Privilege escalation and account manipulation to create fraudulent transactions and obfuscate user details.
  • Unauthorized VPN access from both external and internal networks. 

The team correlated user activities across various systems, including local and remote IDs, to confirm collusion between internal actors. 

This case highlights the critical importance of robust internal controls, privileged access management, and comprehensive logging for detecting and mitigating insider threats in financial systems.

Kaspersky has uncovered a long-standing intrusion in a customer’s infrastructure, revealing a sophisticated attack that had persisted for over 2 years. 

The threat actors apparently belonging to Flax Typhoon APT group, employed living-off-the-land techniques, using SoftEther VPN and Zabbix agent for other purposes than intended.

They sent malware hosted in Windows LOLBins like certutil and disguised services to go undetected.

The attack consisted of NTDS dumping, the usage of Mimikatz and CobaltStrike, specifically creating firewall rules for covert communication.

Due to this finding, the client was able to successfully sue an insider employee and his accomplices responsible for the abuse, which indicates the crucial need for an APT detection solution to confirm and eliminate long-standing threats.

GERT’s assessment matched the timeline of the attack, compromised users, and measures that were used in executing the attack.

The investigation showed SMB abuse, IKEEXT service persistence, and vulnerabilities (CVE-2021-26855) in remote code execution using Microsoft Exchange Servers.

Importantly, a malicious wlbsctrl.dll was used for persistence and lateral movement using the SMB protocol.

Mainly, identified was an ICMP backdoor that was embedded within an application as a loader with mutex checking, registry key manipulation, and execution of encrypted payloads.

ICMP backdoor (Source – Securelist)

The backdoor was implemented using the usual AES method, but the volume serial number of the C drive was one of the key parameters.

Payloads were the last in the stage at which the modules dllhost.exe were injected into, and they were invoked to create a raw ICMP socket, Base64 data reception, and use of encrypted shellcodes.

While the occurrence endured the characteristics of APT group ToddyCat’s TTPs, complete attribution is not evident.

The case highlights the essentiality of general assets availability surveillance, reliance on threat intelligence for protection, and provision of MDR services in all areas.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

New Scareware Attack Targeting Mobile Users to Deploy Malicious Antivirus Apps

A new wave of scareware attacks has emerged, targeting unsuspecting mobile users with fake...

Microsoft Sysinternals 0-Day Vulnerability Enables DLL Injection Attacks on Windows

A critical zero-day vulnerability has been discovered in Microsoft Sysinternals tools, posing a serious security threat...