Tuesday, October 8, 2024
HomeCVE/vulnerabilityToddyCat APT Abuses SMB, Exploits IKEEXT A Exchange RCE To Deploy ICMP...

ToddyCat APT Abuses SMB, Exploits IKEEXT A Exchange RCE To Deploy ICMP Backdoor

Published on

ToddyCat is an APT group that has been active since December 2020, and primarily it targets the government and military entities in Europe and Asia. 

The group is known for its sophisticated cyber-espionage tactics and has been involved in multiple high-profile attacks.

Cybersecurity researchers at Kaspersky Lab identified that ToddyCat APT group has been abusing the SMB, exploiting IKEEXT and Exchange RCE to deploy ICMP backdoor.

- Advertisement - EHA

ToddyCat APT Abuses SMB

In the year 2023, Kaspersky GERT investigated one of the largest internal frauds in a government organization.

Threat actors used an internal service to carry out several fraudulent operations leading to losses of well over 20 million dollars.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Insider fraud attack (Source – Securelist)

GERT’s digital forensics and incident response (DFIR) analysis revealed multiple attack vectors like:-

  • A vulnerability in a debugging interface that allowed cookie theft for user impersonation, identified through exception logging analysis.
  • Privilege escalation and account manipulation to create fraudulent transactions and obfuscate user details.
  • Unauthorized VPN access from both external and internal networks. 

The team correlated user activities across various systems, including local and remote IDs, to confirm collusion between internal actors. 

This case highlights the critical importance of robust internal controls, privileged access management, and comprehensive logging for detecting and mitigating insider threats in financial systems.

Kaspersky has uncovered a long-standing intrusion in a customer’s infrastructure, revealing a sophisticated attack that had persisted for over 2 years. 

The threat actors apparently belonging to Flax Typhoon APT group, employed living-off-the-land techniques, using SoftEther VPN and Zabbix agent for other purposes than intended.

They sent malware hosted in Windows LOLBins like certutil and disguised services to go undetected.

The attack consisted of NTDS dumping, the usage of Mimikatz and CobaltStrike, specifically creating firewall rules for covert communication.

Due to this finding, the client was able to successfully sue an insider employee and his accomplices responsible for the abuse, which indicates the crucial need for an APT detection solution to confirm and eliminate long-standing threats.

GERT’s assessment matched the timeline of the attack, compromised users, and measures that were used in executing the attack.

The investigation showed SMB abuse, IKEEXT service persistence, and vulnerabilities (CVE-2021-26855) in remote code execution using Microsoft Exchange Servers.

Importantly, a malicious wlbsctrl.dll was used for persistence and lateral movement using the SMB protocol.

Mainly, identified was an ICMP backdoor that was embedded within an application as a loader with mutex checking, registry key manipulation, and execution of encrypted payloads.

ICMP backdoor (Source – Securelist)

The backdoor was implemented using the usual AES method, but the volume serial number of the C drive was one of the key parameters.

Payloads were the last in the stage at which the modules dllhost.exe were injected into, and they were invoked to create a raw ICMP socket, Base64 data reception, and use of encrypted shellcodes.

While the occurrence endured the characteristics of APT group ToddyCat’s TTPs, complete attribution is not evident.

The case highlights the essentiality of general assets availability surveillance, reliance on threat intelligence for protection, and provision of MDR services in all areas.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...