Thursday, July 18, 2024

ToddyCat APT Hackers Exploiting Vulnerable Microsoft Exchange Servers

ToddyCat, a highly skilled advanced persistent threat (APT) actor notorious for launching targeted attacks in Europe and Asia, has recently upgraded its arsenal of tools and methods, signifying an evolution in its modus operandi.

Recent findings from the cybersecurity researchers at SecureList by Kaspersky provide insights into their:-

  • New toolset
  • Data theft malware
  • Lateral movement techniques
  • Espionage operations

Researchers affirmed that the hackers behind the ToddyCat APT group are actively exploiting the vulnerable Microsoft Exchange servers.

Tools Used By Attackers

Here below, we have mentioned all the tools that the threat actors behind the ToddyCat APT group use:-

  • Standard loaders
  • Tailored loader
  • Ninja
  • LoFiSe
  • DropBox uploader
  • Pcexter
  • Passive UDP backdoor
  • CobaltStrike

ToddyCat APT Exploiting Exchange Servers

ToddyCat conducts espionage by infiltrating networks with loaders and Trojans. After gaining access, they collect data about connected hosts and perform discovery activities, enumerating domain accounts and servers using standard OS utilities like net and ping:-

net group "domain admins" /dom
net user %USER% /dom
net group "domain computers" /dom | findstr %VALUABLE_USER%
ping %REMOTE_HOST% -4

Attackers regularly change credentials and employ scripts in a scheduled task that runs briefly and is removed, along with network shares, for each targeted host.

Scheduled tasks may include discovery commands or scripts for data collection. The attacker can access the Output from these tasks by mounting a remote drive as a local share during lateral movement.

PowerShell commands from the PS1 script were duplicated in a BAT script to evade detection.

To avoid suspicion, the group consistently employs common task names like ‘one’ and ‘tpcd’ for a session. Script names are random keyboard-walking characters. They mount and delete a temporary share on the exfiltration host at the end of their activity.

The threat actor gathers files from various hosts, archives them, and exfiltrates them via public storage.

LoFiSe, designed for file collection, is complemented by other scripts for enumerating and collecting recently modified documents with specific extensions.

Besides this, the script variants for data collection didn’t use compressed archives. Files were copied to specific folders, transferred manually to the exfiltration host via xcopy, and then compressed with 7z.


97D0A47B595A20A3944919863A8163D1                    Variant “Update”
828F8B599A1CC4A02A2C3928EC3F5F8B                     Variant “VLC” A
90B14807734045F1E0A47C40DF949AC4                     Variant “VLC” B
0F7002AACA8C1E71959C3EE635A85F14                     Tailored loader
D3050B3C7EE8A80D8D6700624626266D                    Tailored loader
D4D8131ED03B71D58B1BA348F9606DF7                    Tailored loader
Passive UDP backdoors
Dropbox exfiltrator

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles