ToddyCat advanced threat actor targets high-profile entities with new malware

Kaspersky researchers reported an ongoing campaign carried out by an advanced persistent threat (APT) group dubbed ToddyCat. The activity has focused on compromising multiple Microsoft Exchange servers using two malicious programs called Samurai backdoor and Ninja Trojan. The campaign has primarily targeted government and military organizations in Europe and Asia.

ToddyCat is a relatively new, sophisticated APT group. Kaspersky researchers first detected the group in December 2020 when it carried out a number of attacks on Microsoft Exchange servers. In February-March 2021, Kaspersky observed a quick escalation as ToddyCat started to abuse the ProxyLogon vulnerability in Microsoft Exchange Servers to compromise multiple organizations across Europe and Asia. Starting in September 2021, the group shifted its attention to desktop machines related to government and diplomatic entities in Asia. The group constantly updates its arsenal and continues to perform attacks in 2022.

While it is unclear what the initial vector of infection for the latest activities is, the researchers have conducted a thorough analysis of the malware used in the campaigns. ToddyCat employs Samurai Backdoor and Ninja Trojan, two sophisticated cyber-espionage tools designed to penetrate deeply in targeted networks, while persistently maintaining stealth.

Samurai is a modular backdoor and a final-stage component of the attack that allows the attacker to administrate the remote system and move laterally within the compromised network. This malware stands out because it uses multiple control flow and case statements to jump between instructions. This makes it hard to track the order of actions in the code. It is also used to launch another new malware dubbed Ninja Trojan, a complex collaborative tool that allows multiple operators to work on the same machine simultaneously.

Ninja Trojan also provides a large set of commands, which allows the attackers to control remote systems while avoiding detection. It is usually loaded into the memory of a device and launched by various loaders. The Ninja Trojan starts the operation by retrieving configuration parameters from the encrypted payload, and then deeply infiltrates a compromised network. The capabilities of the malware include managing file systems, starting reverse shells, forwarding TCP packets and even taking control of the network in specific timeframes, which can be dynamically configured using a specific command.

The malware also resembles some other well-known post-exploitation frameworks, such as CobaltStrike, with Ninja’s features allowing it to limit the number of direct connections from the targeted network to the remote command and control systems without internet access. In addition, it can control HTTP indicators and camouflage the malicious traffic in HTTP requests, making them appear legitimate by modifying HTTP header and URL paths. These capabilities make Ninja Trojan particularly stealthy.

“ToddyCat is a sophisticated threat actor with elevated technical skills, which is able to fly under the radar and make its way into the top-level organizations,” said Giampaolo Dedola, security expert at Kaspersky. “Despite the number of loaders and attacks discovered during the last year, we still don’t have complete visibility of their operations and tactics. Another noteworthy characteristic of ToddyCat is its focus on advanced malware capabilities – Ninja Trojan got its name for a reason – it is hard to detect and, therefore, hard to stop. The best way to face this kind of threat is to use multi-layer defenses, which provide information on internal assets and stay up-to-date with the latest threat intelligence.”

To learn more about ToddyCat, its techniques, and ways to protect your network from their attacks, read the report on Securelist.

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

• Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky almost 25 years. Access to its curated features if free of charge, allowing users to check files, URLs, and IP addresses. It is available here.
• Upskill your cybersecurity team to prepare them for tackling the latest targeted threats with Kaspersky online training developed by GReAT experts.
• For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
• Many targeted attacks start with phishing or other social engineering techniques, therefore it is worth introducing security awareness training and teaching practical skills to your team, for example, through the Kaspersky Automated Security Awareness Platform. 

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.