The superior persistent risk (APT) actor referred to as ToddyCat has been linked to a brand new set of malicious instruments which are designed for information exfiltration, providing a deeper perception into the hacking crew’s ways and capabilities.
The findings come from Kaspersky, which first shed mild on the adversary final yr, linking it to assaults in opposition to high-profile entities in Europe and Asia for practically three years.
Whereas the group’s arsenal prominently options Ninja Trojan and a backdoor known as Samurai, additional investigation has uncovered a complete new set of malicious software program developed and maintained by the actor to attain persistence, conduct file operations, and cargo extra payloads at runtime.
This contains a group of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a software known as LoFiSe to search out and gather recordsdata of curiosity, a DropBox uploader to save lots of stolen information to Dropbox, and Pcexter to exfiltrate archive recordsdata to Microsoft OneDrive.
ToddyCat has additionally been noticed using customized scripts for information assortment, a passive backdoor that receives instructions with UDP packets, Cobalt Strike for post-exploitation, and compromised area admin credentials to facilitate lateral motion to pursue its espionage actions.
“We noticed script variants designed solely to gather information and duplicate recordsdata to particular folders, however with out together with them in compressed archives,” Kaspersky stated.
“In these instances, the actor executed the script on the distant host utilizing the usual distant process execution approach. The collected recordsdata had been then manually transferred to the exfiltration host utilizing the xcopy utility and eventually compressed utilizing the 7z binary.”
The disclosure comes as Examine Level revealed that authorities and telecom entities in Asia have been focused as a part of an ongoing marketing campaign since 2021 utilizing all kinds of “disposable” malware to evade detection and ship next-stage malware.
The exercise, per the cybersecurity agency, depends on infrastructure that overlaps with that utilized by ToddyCat.