The superior persistent menace (APT) actor often called ToddyCat has been linked to a brand new set of malicious instruments which might be designed for information exfiltration, providing a deeper perception into the hacking crew’s ways and capabilities.
The findings come from Kaspersky, which first shed gentle on the adversary final yr, linking it to assaults in opposition to high-profile entities in Europe and Asia for almost three years.
Whereas the group’s arsenal prominently options Ninja Trojan and a backdoor referred to as Samurai, additional investigation has uncovered a complete new set of malicious software program developed and maintained by the actor to realize persistence, conduct file operations, and cargo extra payloads at runtime.
This includes a group of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a software referred to as LoFiSe to seek out and gather information of curiosity, a DropBox uploader to save lots of stolen information to Dropbox, and Pcexter to exfiltrate archive information to Microsoft OneDrive.
ToddyCat has additionally been noticed using customized scripts for information assortment, a passive backdoor that receives instructions with UDP packets, Cobalt Strike for post-exploitation, and compromised area admin credentials to facilitate lateral motion to pursue its espionage actions.
“We noticed script variants designed solely to gather information and replica information to particular folders, however with out together with them in compressed archives,” Kaspersky mentioned.
“In these circumstances, the actor executed the script on the distant host utilizing the usual distant job execution approach. The collected information had been then manually transferred to the exfiltration host utilizing the xcopy utility and at last compressed utilizing the 7z binary.”
The disclosure comes as Verify Level revealed that authorities and telecom entities in Asia have been focused as a part of an ongoing marketing campaign since 2021 utilizing all kinds of “disposable” malware to evade detection and ship next-stage malware.
The exercise, per the cybersecurity agency, depends on infrastructure that overlaps with that utilized by ToddyCat.
