New ToddyCat Hacker Group On Experts’ Radar After Targeting MS Exchange Servers


An APT (Advanced Persistent Threat) actor with code name ToddyCat has been linked to a series of attacks targeting high-profile entities in Europe and Asia since at least December 2020.

The relatively new hostile collective is said to have started operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and trigger a multi-stage infection chain.

Other prominent countries targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, UK and Uzbekistan, just as the threat actor has developed its toolset over the course of several campaigns.

“The first wave of attacks focused solely on Microsoft Exchange servers, which were compromised with Samurai, a sophisticated passive backdoor that typically operates on ports 80 and 443,” Russian cybersecurity firm Kaspersky said. said in a report published today.

“The malware allows the execution of arbitrary C# code and is used with multiple modules that allow the attacker to control the remote system and move laterally within the target network.”

ToddyCat, also tracked as Websiic by Slovakian cybersecurity firm ESET, was first exposed in March 2021 for exploiting ProxyLogon Exchange flaws to target email servers belonging to private companies in Asia and a government agency in Europe. .

The attack sequence after the implementation of the China Chopper web shell leads to the execution of a dropper which in turn is used to make changes to the Windows registry to start a second-stage loader, which in turn is designed to be a third stage .NET loader responsible for running Samurai.

The backdoor not only uses techniques like obfuscation and control flow smoothing to make it resistant to reverse engineering, but it is modular in the sense that its components allow it to execute arbitrary commands and exfiltrate interesting files from the compromised host.

Also seen in specific incidents is an advanced tool called Ninja spawned by the Samurai Implant and likely functioning as a collaboration tool allowing multiple operators to work on the same machine at the same time.

Despite its similarities to other post-exploitation toolkits such as Cobalt Strike, the malware allows the attacker to “control systems remotely, avoid detection, and penetrate deep into a targeted network.”

Despite ToddyCat casualties being linked to countries and sectors traditionally targeted by Chinese-speaking groups, there is no evidence linking the modus operandi to any known threat actor.

“ToddyCat is an advanced APT group that uses multiple techniques to avoid detection and thus unobtrusively keep itself informed,” said Kaspersky security researcher Giampaolo Dedola.

“The organizations affected, both the government and the military, show that this group is targeted at very high-profile targets and is likely to be used to achieve critical goals, likely related to geopolitical interests.”