Home Malware APT actor ToddyCat hits government and military targets in Europe and Asia

APT actor ToddyCat hits government and military targets in Europe and Asia

Source Link

Researchers from Kaspersky Lab have published an analysis of a previously undocumented advanced persistent threat (APT) group that they have dubbed ToddyCat.

The threat actor, which has targeted high-profile organizations in Asia and Europe, often breaks into organizations by hacking into internet-facing Microsoft Exchange servers, following up with a multi-stage infection chain that deploys two custom malware programs.

“We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’,” the researchers said.

Microsoft Exchange exploits

According to Kaspersky Lab’s telemetry, ToddyCat’s malicious campaigns goes as far back as December 2020 when the group targeted a limited number of Microsoft Exchange servers belonging to organizations in Taiwan and Vietnam.

It’s not clear what vulnerability the group exploited in those early attacks because no sample of the exploit was recovered, but starting in February 2021 the group used ProxyLogon, a remote code execution exploit chain affecting Microsoft Exchange that Microsoft patched in March 2021 after attacks abusing it were discovered in the wild. It’s possible that ToddyCat was one of the hacker groups, along with the Chinese state-sponsored actor Hafnium, that had access to the exploit before it was patched.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment