APT actor ToddyCat hits government and military targets in Europe and Asia

Researchers from Kaspersky Lab have published an analysis of a previously undocumented advanced persistent threat (APT) group that they have dubbed ToddyCat.

The threat actor, which has targeted high-profile organizations in Asia and Europe, often breaks into organizations by hacking into internet-facing Microsoft Exchange servers, following up with a multi-stage infection chain that deploys two custom malware programs.

“We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’,” the researchers said.

Microsoft Exchange exploits

According to Kaspersky Lab’s telemetry, ToddyCat’s malicious campaigns goes as far back as December 2020 when the group targeted a limited number of Microsoft Exchange servers belonging to organizations in Taiwan and Vietnam.

It’s not clear what vulnerability the group exploited in those early attacks because no sample of the exploit was recovered, but starting in February 2021 the group used ProxyLogon, a remote code execution exploit chain affecting Microsoft Exchange that Microsoft patched in March 2021 after attacks abusing it were discovered in the wild. It’s possible that ToddyCat was one of the hacker groups, along with the Chinese state-sponsored actor Hafnium, that had access to the exploit before it was patched.

Like Hafnium, following the compromise of Exchange servers, the ToddyCat hackers deployed web shells—a variant of China Chopper—in order to maintain access to the servers. They then used this access to download and execute a malware dropper called debug.exe whose purpose was to set up multiple registry keys and decrypt additional payloads to execute. The infection chain involves two additional malware loaders that have encrypted payloads and eventually result in the deployment of a backdoor program that the Kaspersky researchers dubbed Samurai.

The Samurai and Ninja backdoors

Samurai is a modular backdoor written in C# that uses the .NET HTTPListener class to receive and interpret HTTP POST requests. The attackers use this functionality to send encrypted C# source code that the backdoor decrypts and executes during runtime.

“The malware is obfuscated with an algorithm developed to increase the difficulty of reverse engineering by making the code complicated to read,” the Kaspersky researchers said. “Moreover, the malware uses multiple while loops and switch cases to jump between instructions, thus flattening the control flow and making it hard to track the order of actions in the code.”

The researchers identified multiple Samurai modules used by the attackers that allowed them to execute remote commands, enumerate files on the local disk, exfiltrate files, and open proxy connections to remote IP addresses on specific ports and process the responses.

“The cumbersome administration of the Samurai backdoor using arguments in this structure suggests that the Samurai backdoor is the server-side component of a bigger solution that includes at least another client component providing an interface for the operators that can be used to automatically upload some predefined modules,” the researchers said.

In some specific instances, the Samurai backdoor was used to deploy another malware program that the researchers dubbed Ninja. This Trojan program is written in C++ and is much more complex, providing attackers with full remote control over the system. The researchers suspect this Trojan is part of a bigger post-exploitation toolkit developed by the group that resembles commercial ones like Cobalt Strike.

The Ninja Trojan can list and manage running processes; manage the file system; start reverse shell sessions; inject code in arbitrary processes and load additional modules.

“Moreover, the tool can be configured to communicate using multiple protocols and it includes features to evade detection, camouflaging its malicious traffic inside HTTP and HTTPS requests that try to appear legitimate by using popular hostname and URL path combinations,” the researchers said. “The configuration is fully customizable and is similar to other features provided by famous post-exploitation tools such as Cobalt Strike and its Malleable C2 profiles.”

The Ninja malicious agent can be configured to work within specific timeframes and can act as a server for other agents in the same network, parsing and forwarding requests between them and a C2 server. This allows the hackers to operate deep inside networks without opening internet connections from all infected machines and instead directed all communications through a single node.

A focus on high-profile targets

Since the attacks started in December 2020, they’ve continued throughout 2021 and until at least February this year. Kaspersky has identified targeted organizations in Taiwan, Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, Kyrgyzstan, Uzbekistan and Indonesia.

It’s also worth noting that not all ToddyCat attacks used Microsoft Exchange as an entry point. In some cases, the researchers discovered loaders for the Ninja Trojan that were delivered in ZIP archives over the Telegram messaging app. This means the group has directly targeted certain individuals as well in order to get a foothold inside organizations of interest.

The Kaspersky researchers observed some victim overlaps with Chinese-speaking threat actors, particularly with a Chinese APT group that uses a backdoor program called FunnyDream. However, despite some similarities there is no strong evidence connecting the two groups or malware families. The nature of the victim organizations likely makes them interesting targets for several APT groups, so any overlaps could be a coincidence.

“The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests,” the Kaspersky researchers said.

The Kaspersky report includes various file hashes for the discovered ToddyCat malware samples as well as other indicators of compromise.