ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure enterprise fell victim to a meticulously orchestrated attack involving multiple threat actors.

The initial access broker, identified as “ToyMaker” with medium confidence as a financially motivated entity, exploited vulnerabilities in internet-facing servers to infiltrate the network.

A Sophisticated Multi-Actor Attack on Critical Infrastructure

Using a custom backdoor named “LAGTOY,” ToyMaker executed rapid reconnaissance, credential harvesting, and backdoor deployment across numerous hosts within a week.

Their tactics included dual-use remote administration tools, SSH utilities, and file transfer mechanisms, setting the stage for a secondary actor to escalate the attack.

After a three-week lull, access was handed over to the Cactus ransomware gang, notorious for double extortion schemes, who leveraged stolen credentials to deepen the compromise through network proliferation, data exfiltration, and ransomware deployment.

From Initial Breach to Double Extortion Tactics

ToyMaker’s initial moves involved system information discovery with commands like “whoami” and “ipconfig,” alongside creating fake user accounts such as ‘support’ for persistence.

They deployed the LAGTOY implant, a sophisticated backdoor also known as HOLERUN by Mandiant, which communicates with a hardcoded C2 server over port 443 using raw sockets, bypassing expected TLS protocols.

LAGTOY, installed as a service named ‘WmiPrvSV,’ features anti-debugging measures and time-based execution logic, ensuring stealthy operation with sleep intervals and watchdog routines.

Credential extraction was facilitated by tools like Magnet RAM Capture, with harvested data archived using 7za.exe and exfiltrated via PuTTY’s SCP utility.

Following the handover, Cactus conducted extensive endpoint enumeration, server scans, and data archiving for extortion, utilizing tools like AnyDesk, eHorus, and OpenSSH for long-term access.

Their operations included deleting volume shadow copies, modifying boot recovery settings, and deploying ransomware through malicious accounts, while meticulously covering tracks by clearing command histories and network logs.

This attack underscores the compartmentalized yet interconnected nature of modern cyber threats, where initial access brokers like ToyMaker pave the way for ransomware affiliates like Cactus.

According to the Report, Cisco Talos emphasizes the need for distinct threat modeling for such actors, proposing new methodologies to track these relationships in future analyses.

The disparity in tactics, techniques, and procedures (TTPs) between the two groups highlights the evolving complexity of cybercriminal ecosystems, necessitating robust endpoint security and network monitoring solutions to detect and mitigate such multi-stage attacks.

Indicators of Compromise (IOCs)

Category	Details
LAGTOY Hash	fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826
Metasploit Shells	Multiple hashes including 0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867
ToyMaker Network IOCs	209.141.43.37, 194.156.98.155, 158.247.211.51, 39.106.141.68, others
Cactus Network IOCs	206.188.196.20, 51.81.42.234, 178.175.134.52, 162.33.177.56, others

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!