ToddyCat APT Abuses SMB, Exploits IKEEXT A Exchange RCE To Deploy ICMP Backdoor

ToddyCat is an APT group that has been active since December 2020, and primarily it targets the government and military entities in Europe and Asia. 

The group is known for its sophisticated cyber-espionage tactics and has been involved in multiple high-profile attacks.

Cybersecurity researchers at Kaspersky Lab identified that ToddyCat APT group has been abusing the SMB, exploiting IKEEXT and Exchange RCE to deploy ICMP backdoor.

ToddyCat APT Abuses SMB

In the year 2023, Kaspersky GERT investigated one of the largest internal frauds in a government organization.

Threat actors used an internal service to carry out several fraudulent operations leading to losses of well over 20 million dollars.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

GERT’s digital forensics and incident response (DFIR) analysis revealed multiple attack vectors like:-

• A vulnerability in a debugging interface that allowed cookie theft for user impersonation, identified through exception logging analysis.
• Privilege escalation and account manipulation to create fraudulent transactions and obfuscate user details.
• Unauthorized VPN access from both external and internal networks.

The team correlated user activities across various systems, including local and remote IDs, to confirm collusion between internal actors. 

This case highlights the critical importance of robust internal controls, privileged access management, and comprehensive logging for detecting and mitigating insider threats in financial systems.

Kaspersky has uncovered a long-standing intrusion in a customer’s infrastructure, revealing a sophisticated attack that had persisted for over 2 years. 

The threat actors apparently belonging to Flax Typhoon APT group, employed living-off-the-land techniques, using SoftEther VPN and Zabbix agent for other purposes than intended.

They sent malware hosted in Windows LOLBins like certutil and disguised services to go undetected.

The attack consisted of NTDS dumping, the usage of Mimikatz and CobaltStrike, specifically creating firewall rules for covert communication.

Due to this finding, the client was able to successfully sue an insider employee and his accomplices responsible for the abuse, which indicates the crucial need for an APT detection solution to confirm and eliminate long-standing threats.

GERT’s assessment matched the timeline of the attack, compromised users, and measures that were used in executing the attack.

The investigation showed SMB abuse, IKEEXT service persistence, and vulnerabilities (CVE-2021-26855) in remote code execution using Microsoft Exchange Servers.

Importantly, a malicious wlbsctrl.dll was used for persistence and lateral movement using the SMB protocol.

Mainly, identified was an ICMP backdoor that was embedded within an application as a loader with mutex checking, registry key manipulation, and execution of encrypted payloads.

The backdoor was implemented using the usual AES method, but the volume serial number of the C drive was one of the key parameters.

Payloads were the last in the stage at which the modules dllhost.exe were injected into, and they were invoked to create a raw ICMP socket, Base64 data reception, and use of encrypted shellcodes.

While the occurrence endured the characteristics of APT group ToddyCat’s TTPs, complete attribution is not evident.

The case highlights the essentiality of general assets availability surveillance, reliance on threat intelligence for protection, and provision of MDR services in all areas.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!