In a recent revelation, cybersecurity experts have exposed ToddyCat, the notorious advanced persistent threat (APT) actor, for deploying a fresh suite of malicious tools tailored for data exfiltration. These findings provide a detailed glimpse into the group’s sophisticated tactics and capabilities, shedding light on their evolving strategies.
The insights into ToddyCat’s enhanced toolkit have been unveiled by Kaspersky, a leading cybersecurity firm, which had previously identified the group’s activities in attacks against prominent organizations in Europe and Asia spanning nearly three years.
While ToddyCat was previously associated with the Ninja Trojan and a backdoor named Samurai, further investigation has unearthed an entirely new set of malicious software meticulously developed and managed by the group. These tools enable ToddyCat to maintain persistence within compromised systems, perform intricate file operations, and load additional payloads dynamically.
This expanded arsenal includes a series of loaders designed to launch the Ninja Trojan as a secondary stage, a utility named LoFiSe for identifying and gathering specific files, a DropBox uploader for storing pilfered data in Dropbox, and Pcexter for exfiltrating archive files to Microsoft OneDrive.
Moreover, ToddyCat has been observed utilizing customized scripts for targeted data collection, a passive backdoor that responds to commands sent via UDP packets, Cobalt Strike for post-exploitation activities, and compromised domain admin credentials to facilitate lateral movement, furthering their espionage efforts.
Kaspersky noted, “We observed script variants specifically crafted for data collection and file copying into designated folders, excluding them from compressed archives. In such instances, the actor executed the script on the remote host using standard remote task execution techniques. The gathered files were then manually transferred to the exfiltration host using the xcopy utility and subsequently compressed using the 7z binary.”
This revelation coincides with Check Point’s recent disclosure, indicating that government and telecom entities in Asia have been under targeted assault since 2021. The attackers have employed a diverse range of “disposable” malware to evade detection and deliver subsequent-stage malware. Interestingly, this ongoing campaign shares infrastructure with ToddyCat, suggesting potential collaboration or overlap in their operations.