ToddyCat's New Set of Data Exfiltration Tools is Unveiled by Researchers -

Post Views: 246

ToddyCat’s New Set of Data Exfiltration Tools is Unveiled by Researchers

ToddyCat, an advanced persistent threat (APT) actor, has been connected to a fresh batch of malicious tools intended for data exfiltration, providing more information on the strategies and toolset of the hacking group.

The information was discovered by Kaspersky, which exposed the attacker for the first time last year and connected attacks on prominent targets in Europe and Asia across a roughly three-year period.

Further examination has shown a completely new collection of malicious software created and maintained by the actor to achieve persistence, perform file operations, and load additional payloads at runtime, despite the group’s arsenal prominently featuring Ninja Trojan and a backdoor named Samurai.

This includes a set of loaders that can start the Ninja Trojan as a second stage, LoFiSe, a tool for finding and gathering files of interest, a Dropbox uploader for saving stolen data to Dropbox, and Pcexter for exfiltrating archive files to Microsoft OneDrive.

In order to move laterally and carry out its espionage activities, ToddyCat has also been seen using bespoke scripts for data collection, a passive backdoor that receives commands via UDP packets, Cobalt Strike, and compromised domain admin credentials.

Kaspersky

“We saw script variations that were only intended to gather information and copy files to particular folders—not to include them in compressed bundles.”

“In these instances, the actor used the common method for remote task execution to run the script on the remote host. After manually transferring the collected files to the exfiltration host with the xcopy tool, the files were subsequently compressed with the 7z binary.”

The information was made public at the same time Check Point disclosed that government and telecom companies in Asia have been the focus of an ongoing campaign since 2021 that uses a range of “disposable” malware to avoid detection and spread more advanced malware.

According to the cybersecurity company, the activity depends on infrastructure that is also used by ToddyCat.

About The Author

Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food & Beverage, Entertainment, and many others. Koli established his center of the field in a very amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.