The threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data.
Russian cybersecurity firm Kaspersky characterized the adversary as relying on various programs to harvest data on an "industrial scale" from primarily governmental organizations, some of them defense related, located in the Asia-Pacific region.
"To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack," security researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova said.
ToddyCat was first documented by the company in June 2022 in connection with a series of cyber attacks aimed at government and military entities in Europe and Asia since at least December 2020. These intrusions leveraged a passive backdoor dubbed Samurai that allows for remote access to the compromised host.
A closer examination of the threat actor's tradecraft has since uncovered additional data exfiltration tools like LoFiSe and Pcexter to gather data and upload archive files to Microsoft OneDrive.
The latest set of programs entail a mix of tunneling data gathering software, which are put to use after the attacker has already obtained access to privileged user accounts in the infected system. This includes -
- Reverse SSH tunnel using OpenSSH
- SoftEther VPN, which is renamed to seemingly innocuous files like "boot.exe," "mstime.exe," "netscan.exe," and "kaspersky.exe"
- Ngrok and Krong to encrypt and redirect command-and-control (C2) traffic to a certain port on the target system
- FRP client, an open-source Golang-based fast reverse proxy
- Cuthead, a .NET compiled executable to search for documents matching a specific extension or a filename, or the date when they are modified
- WAExp, a .NET program to capture data associated with the WhatsApp web app and save it as an archive, and
- TomBerBil to extract cookies and credentials from web browsers like Google Chrome and Microsoft Edge
Maintaining multiple simultaneous connections from the infected endpoints to actor-controlled infrastructure using different tools is seen as a fallback mechanism and a way to retain access in cases where one of the tunnels is discovered and taken down.
"The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system," Kaspersky said.
"To protect the organization's infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information."