Posted on June 23, 2022 at 4:52 AM

Security researchers warn against newly discovered ToddyCat APT Group

Cybersecurity experts have discovered an advanced persistent threat (APT) actor codenamed ToddyCat that targets MS Exchange Servers. The threat actor has been seen targeting government and military entities in Asia and Europe since December 2020.

The new adversarial collective is known to have started operations by launching attacks on Microsoft exchange servers in Taiwan and Vietnam. It uses an unidentified exploit to plant the China Chopper web shell and activate a multi-stage infection chain.

The Threat Actor Has Launched Attacks On Other Countries

Apart from the two countries, the threat actor is also launching attacks on servers in other countries. These include the United Kingdom, Thailand, Pakistan, Russia, Malaysia, Kyrgyzstan, Indonesia, Iran, Afghanistan, and Uzbekistan. Additionally, the researchers noted that the threat actors are rapidly distributing this malware due to enhancements to their toolset throughout successive campaigns.

Russian Security Company, Kaspersky, noted that the first wave of attacks concentrated on Microsoft Exchange Servers, which were infected with an enhanced passive backdoor known as Samurai. The backdoor generally works on ports 443 and 80, according to the security company.

Also, it was discovered that the malware enables arbitrary C# code execution. It is utilized with several modules that enable the threat actor to control the remote system and navigate easily within the targeted network.

The ToddyCat malware is also tracked by Slovak cybersecurity company ESET as Websiic. It was first seen in March last year when it exploited the ProxyLogon Exchange vulnerabilities to attack email servers in government organizations in Europe and private firms in Asia.

The attack sequence is typical of the deployment of the China Chopper web shell. This can result in the execution of a dropper that can be utilized to enable Windows Registry modifications to launch a second-stage loader. This can be used to set off a third-stage .NET loader that can easily run Samurai,

The Backdoor Uses Higher Evasive Techniques

The backdoor utilizes techniques like controlling glow glattening to make it resistant to reverse engineering. Apart from this function, it also makes it easier to execute arbitrary commands, which steal the targeted files from the affected system or server. This makes the backdoor highly effective for exfiltrating files from already compromised systems and sending the files to the control server of the threat actor.

The security firms also discovered a unique feature in some of the incidents. In a typical exploit, a sophisticated tool known as Ninja, spawned by the Samurai, works as a collaborative tool. It enables several operators to work on the same system simultaneously.

It comes with similar features as other post-exploitation toolkits like Cobalt Strike. But it also allows the threat actor to avoid detection while having remote control of the systems. It can also give the hacker the firepower to penetrate deep inside a targeted system.

No Evidence Tying ToddyCat To A Known Threat Group

Although the TodyCat malware selects its victims from countries traditionally targeted by Chinese-speaking groups, it has not yet been linked to any known threat group. The researchers say there is no evidence yet that the malware is used or distributed by any known threat actor.

A security researcher at Kaspersky Global Research Analysis Team (GReAT(, Giampaolo Dedola, commented on the development. He noted that ToddyCat is an advanced threat group that utilizes a series of techniques to avoid detection while exploiting the targeted system for a long time. The researcher noted that the threat group has been in existing for a longer time, but its evasive techniques have made it very difficult to detect.

The Threat Actor Focuses On High Profile Targets

The attack on organizations, both military and governmental, is an indication that the threat actor is looking at very high-profile targets. This also suggests that the aim of the threat actor is related to geopolitical issues based on the critical goals they pursue. It’s also a point to show that the threat actor could be sponsored by a government entity, but the malware has not been linked to any known threat group yet.

The latest findings by the threat actors show that more attackers are no longer looking at simple or easier targets. They are developing highly sophisticated tools that can help them launch successful attacks on highly critical organizations that offer very important services to the majority of the country’s population. As a result, experts have warned that organizations and governmental establishments should improve their security to shield against such attacks on their servers.