Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
ToddyCat APT Spying on Asian Governments and Telecoms
China-Linked Espionage Group Used Custom Loaders to Evade DetectionSecurity researchers attributed a wave of targeted cyberattacks against telecommunications companies and government ministries in several Asian countries to a Chinese advanced persistence threat group named ToddyCat.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The China-based cyberespionage group has been expanding its cyberespionage operations in Asia since late 2022 and is using a new generation of loaders, customized variants and legitimate software to evade detection and refine its attack techniques, according to researchers at cybersecurity company Kaspersky.
"ToddyCat isn't just breaking into systems; they're setting up long-term operations to collect valuable information over an extended period, all while adapting to new conditions to remain undetected," said Giampaolo Dedola, lead security researcher at Kaspersky.
ToddyCat first exploited the ProxyLogon vulnerability in late 2020 in Microsoft Exchange servers to target high-profile organizations in the government and military sectors in Taiwan, Vietnam and other countries. The group in 2022 began using the Samurai backdoor to target organizations in Iran, Russia, United Kingdom and India.
Kaspersky said Thursday that ToddyCat deployed many unique variants of its standard loaders and various legitimate tools to establish persistence within targeted networks, conduct reconnaissance and evade signature-based detection.
The APT group used the loaders to deploy its primary tools - the Ninja Trojan and the Samurai Backdoor. Once deployed, Ninja can manage processes, control the file system, inject code and forward network traffic to a command-and-control server. Samurai, a passive backdoor, enables ToddyCat to conduct arbitrary code execution, control a system remotely and move laterally inside a network.
Researchers also observed ToddyCat using legitimate software to refine its attack technique, including deploying LoFiSe to find specific files, a Passive UDP Backdoor to establish persistence, a DropBox Uploader for data uploads and well-known penetration testing tool CobaltStrike.
Threat intelligence company Check Point on Wednesday blamed ToddyCat on a string of cyberespionage attacks targeting telecommunication companies and government organizations primarily in Kazakhstan, Uzbekistan, Pakistan and Vietnam.
Check Point also noted that ToddyCat used multiple unique loaders and downloaders that had no clear code overlaps with products created by any known actors. This malware can perform a variety of functions, suggesting that the APT group treated them as disposable and only used them to gain initial access and execute a malicious payload.
ToddyCat's cyberespionage campaign, dubbed "Stayin' Alive" by Check Point, used spear-phishing emails to deliver archive files using DLL side-loading techniques. A spear-phishing email analyzed by Check Point contained a legitimate signed file mDNSResponder.exe and the side-loaded DLL named dal_keepalives.dll.
The side-loaded DLL loaded a backdoor called CurKeep, which copied itself to the %APPDATA% folder and set an environment variable to maintain persistence for the next execution of the payload. The espionage group used a variety of loaders to download and execute many other backdoor variants that performed specific functions.
"The use of disposable loaders and downloaders, as observed in this campaign, is becoming more common even among sophisticated actors," the Check Point team said. "The use of disposable tools makes both detection and attribution efforts more difficult, as they are replaced often, and possibly written from scratch. This is evident in the Stayin' Alive campaign in which high-profile organizations were targeted with very simple backdoors."