Elusive ToddyCat APT Targets Microsoft Exchange Servers

The threat actor targets institutions and companies in Europe and Asia.

An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now.

“The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT.

Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.”

The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network.

The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam from December 2020, reports Kaspersky.

The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.” In some cases, they said, the Samurai backdoor lays the path to launch another malicious program called Ninja.

Aspects of ToddyCat’s threat activities were also tracked by cybersecurity firm ESET, which dubbed the “cluster of activities” seen in the wild as Websiic. Meanwhile, researchers at GTSC identified another part of the group’s infection vectors and techniques in a report outlining the delivery of the malware’s dropper code.

“That said, as far as we know, none of the public accounts described sightings of the full infection chain or later stages of the malware deployed as part of this group’s operation,” Kaspersky wrote.

Multiple Strings of Attacks on Exchange Server Over the Years

During the period between December 2020 and February 2021, the first wave of attacks were carried out against the limited number of servers in Taiwan and Vietnam.

In the next period, between February 2021 and May 2021, researchers observed a sudden surge in attacks. That’s when, they said, the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries including Iran, India, Malaysia, Slovakia, Russia and the United Kingdom.

After May 2021, the researchers observed the attributes linked to the same group which targets the previously mentioned countries as well as the military and government organizations based in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave is expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.

Attack Sequence

The attack sequence is initiated after the deployment of the China Chopper web shell attack sequenc, which allows the dropper to execute and install the components and create multiple registry keys.

The registry modification in the prior step forces “svchost” to load a malicious library “iiswmi.dll” and performs its action to invoke the third stage where a “.Net loader” executes and opens the Samurai backdoor.

According to the researchers, the Samurai backdoor is hard to detect during the reverse engineering process as it “switch cases to jump between instructions, thus flattening the control flow” and uses obfuscation techniques.

In the specific incidents, the advanced tool Ninja was implemented by Samurai to coordinate and collaborate multiple operators to work simultaneously on the same machine. The researchers explained that the Ninja provides a large set of commands allowing an attacker to “control remote systems, avoid detection and penetrate deep inside a targeted network”.

Ninja shares similarities with the other post-exploitation toolkit like Cobalt strike in terms of capabilities and features. It can “control the HTTP indicators and camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths,” the researcher noted.

ToddyCat Activity Extend Over to Chinese APTs

According to the report, China-based hackers are targeting victims of the ToddyCat APT gang within the same time frame. In those instances, researchers observed the Chinese-language hackers use an Exchange backdoor called FunnyDream.

“This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we observed the same targets compromised by both APTs in three different countries. Moreover, in all the cases there was a proximity in the staging locations and in one case they used the same directory,” researchers wrote.

The security researchers believe that despite the ‘occasional proximity in staging locations’, they do not have any concrete proof that shows the linkage between the two malware families.

“Despite the overlap, we do not feel confident merging ToddyCat with the FunnyDream cluster at the moment,” Kaspersky wrote. “Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups,” the report added.

“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests,” Kaspersky wrote.

Suggested articles