The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools designed for data exfiltration, providing deep insight into the tactics and capabilities of hacking crews.
The findings come from Kaspersky, which first highlighted the rival last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years.
While the group’s arsenal prominently includes the Ninja Trojan and a backdoor called Samurai, further investigation revealed a whole range of malicious software developed and maintained by the actor to gain persistence, perform file operations, and load additional payloads at runtime.
This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrive.
ToddyCat has also been observed utilizing custom scripts for data collection, a passive backdoor that receives commands with UDP packets, Cobalt Strike for post-exploitation, and compromised domain admin credentials to facilitate lateral movement to pursue its espionage activities.
“We saw script variants that were designed solely to collect data and copy files to specific folders, but without including them in compressed archives,” Kaspersky said.
“In these cases, the actor executed the script on the remote host using standard remote task execution techniques. The collected files were manually transferred to the exfiltration host using the xcopy utility and finally compressed using the 7z binary.”
The disclosure comes as Check Point revealed that government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 using a wide variety of “disposable” malware to evade detection and deliver next-stage malware.
The activity, according to the cybersecurity firm, relies on infrastructure that overlaps with that used by ToddyCat.
