ToddyCat Hackers have been seen using many tools to penetrate vulnerable environments and steal data.

Kaspersky described the attacker as using multiple tools to harvest data on an “industrial scale” from Asia-Pacific government agencies, some of which are defense-related.

You might be interested: The Role of a Cybersecurity Specialist

Security researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova said attackers must automate data harvesting and provide multiple ways to access and monitor systems they attack to collect large amounts of data from many hosts.

The company discovered ToddyCat in June 2022 in conjunction with a series of cyber attacks against European and Asian government and military groups since December 2020. Samurai, a passive backdoor, allowed remote access to the vulnerable system.

Further investigation of the threat actor’s tradecraft revealed LoFiSe and Pcexter to capture data and transfer archive files to Microsoft OneDrive.

Recent programs use tunneling data collection software after the attacker has gained access to privileged user accounts in the affected system. This includes:

• OpenSSH reverse SSH tunnel using SoftEther VPN, renamed as “boot.exe,” “mstime.exe,” “netscan.exe,” and “kaspersky.exe”
• The Ngrok and Krong tools encrypt and redirect C2 traffic to a specific port on the target machine. The FRP client is an open-source Golang-based fast reverse proxy.
• Cuthead, a.NET executable, searches for documents with a certain extension, filename, or modification date.
• WAExp, a.NET software, archives WhatsApp data, while TomBerBil extracts cookies and credentials from browsers including Google Chrome and Microsoft Edge.

Maintaining numerous simultaneous connections from infected endpoints to actor-controlled infrastructure using different technologies is a fallback technique to maintain access if a tunnel is found and pulled down.

“The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system,” stated Kaspersky.

“Add cloud services that tunnel traffic to the firewall denylist to protect the organization’s infrastructure. Users should also be required to avoid saving passwords in their browsers, which enables attackers to access sensitive data.”

SOURCE