The superior persistent risk (APT) actor referred to as ToddyCat has been linked to a brand new set of malicious instruments which can be designed for knowledge exfiltration, providing a deeper perception into the hacking crew’s techniques and capabilities.
The findings come from Kaspersky, which first shed mild on the adversary final 12 months, linking it to assaults in opposition to high-profile entities in Europe and Asia for practically three years.
Whereas the group’s arsenal prominently options Ninja Trojan and a backdoor known as Samurai, additional investigation has uncovered a complete new set of malicious software program developed and maintained by the actor to realize persistence, conduct file operations, and cargo further payloads at runtime.
This includes a group of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a software known as LoFiSe to search out and accumulate information of curiosity, a DropBox uploader to save lots of stolen knowledge to Dropbox, and Pcexter to exfiltrate archive information to Microsoft OneDrive.
ToddyCat has additionally been noticed using customized scripts for knowledge assortment, a passive backdoor that receives instructions with UDP packets, Cobalt Strike for post-exploitation, and compromised area admin credentials to facilitate lateral motion to pursue its espionage actions.
“We noticed script variants designed solely to gather knowledge and duplicate information to particular folders, however with out together with them in compressed archives,” Kaspersky mentioned.
“In these circumstances, the actor executed the script on the distant host utilizing the usual distant job execution approach. The collected information had been then manually transferred to the exfiltration host utilizing the xcopy utility and at last compressed utilizing the 7z binary.”
The disclosure comes as Verify Level revealed that authorities and telecom entities in Asia have been focused as a part of an ongoing marketing campaign since 2021 utilizing all kinds of “disposable” malware to evade detection and ship next-stage malware.
The exercise, per the cybersecurity agency, depends on infrastructure that overlaps with that utilized by ToddyCat.
