The risk actor, which has focused high-profile organizations in Asia and Europe, typically breaks into organizations by hacking into internet-facing Microsoft Alternate servers, following up with a multi-stage an infection chain that deploys two customized malware applications.
“We nonetheless have little details about this actor, however we all know that its important distinctive indicators are two previously unknown instruments that we name ‘Samurai backdoor’ and ‘Ninja Trojan’,” the researchers stated.
Microsoft Alternate exploits
Based on Kaspersky Lab’s telemetry, ToddyCat’s malicious campaigns goes way back to December 2020 when the group focused a restricted variety of Microsoft Alternate servers belonging to organizations in Taiwan and Vietnam.
It isn’t clear what vulnerability the group exploited in these early assaults as a result of no pattern of the exploit was recovered, however beginning in February 2021 the group used ProxyLogon, a distant code execution exploit chain affecting Microsoft Alternate that Microsoft patched in March 2021 after assaults abusing it had been found within the wild. It is attainable that ToddyCat was one of many hacker teams, together with the Chinese language state-sponsored actor Hafnium, that had entry to the exploit earlier than it was patched.
Like Hafnium, following the compromise of Alternate servers, the ToddyCat hackers deployed net shells—a variant of China Chopper—so as to preserve entry to the servers. They then used this entry to obtain and execute a malware dropper known as debug.exe whose goal was to arrange a number of registry keys and decrypt extra payloads to execute. The an infection chain includes two extra malware loaders which have encrypted payloads and finally outcome within the deployment of a backdoor program that the Kaspersky researchers dubbed Samurai.
The Samurai and Ninja backdoors
Samurai is a modular backdoor written in C# that makes use of the .NET HTTPListener class to obtain and interpret HTTP POST requests. The attackers use this performance to ship encrypted C# supply code that the backdoor decrypts and executes throughout runtime.
“The malware is obfuscated with an algorithm developed to extend the issue of reverse engineering by making the code difficult to learn,” the Kaspersky researchers stated. “Furthermore, the malware makes use of a number of whereas loops and change circumstances to leap between directions, thus flattening the management circulation and making it laborious to trace the order of actions within the code.”
The researchers recognized a number of Samurai modules utilized by the attackers that allowed them to execute distant instructions, enumerate recordsdata on the native disk, exfiltrate recordsdata, and open proxy connections to distant IP addresses on particular ports and course of the responses.
“The cumbersome administration of the Samurai backdoor utilizing arguments on this construction means that the Samurai backdoor is the server-side element of a much bigger resolution that features a minimum of one other shopper element offering an interface for the operators that can be utilized to robotically add some predefined modules,” the researchers stated.
In some particular cases, the Samurai backdoor was used to deploy one other malware program that the researchers dubbed Ninja. This Trojan program is written in C++ and is way more complicated, offering attackers with full distant management over the system. The researchers suspect this Trojan is a part of a much bigger post-exploitation toolkit developed by the group that resembles industrial ones like Cobalt Strike.
The Ninja Trojan can listing and handle operating processes; handle the file system; begin reverse shell periods; inject code in arbitrary processes and cargo extra modules.
“Furthermore, the device may be configured to speak utilizing a number of protocols and it consists of options to evade detection, camouflaging its malicious site visitors inside HTTP and HTTPS requests that attempt to seem reliable by utilizing well-liked hostname and URL path combos,” the researchers stated. “The configuration is absolutely customizable and is much like different options offered by well-known post-exploitation instruments corresponding to Cobalt Strike and its Malleable C2 profiles.”
The Ninja malicious agent may be configured to work inside particular timeframes and may act as a server for different brokers in the identical community, parsing and forwarding requests between them and a C2 server. This enables the hackers to function deep inside networks with out opening web connections from all contaminated machines and as a substitute directed all communications by means of a single node.
A give attention to high-profile targets
Because the assaults began in December 2020, they’ve continued all through 2021 and till a minimum of February this 12 months. Kaspersky has recognized focused organizations in Taiwan, Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, the UK, Kyrgyzstan, Uzbekistan and Indonesia.
It is also value noting that not all ToddyCat assaults used Microsoft Alternate as an entry level. In some circumstances, the researchers found loaders for the Ninja Trojan that had been delivered in ZIP archives over the Telegram messaging app. This implies the group has instantly focused sure people as properly so as to get a foothold inside organizations of curiosity.
The Kaspersky researchers noticed some sufferer overlaps with Chinese language-speaking risk actors, notably with a Chinese language APT group that makes use of a backdoor program known as FunnyDream. Nevertheless, regardless of some similarities there is no such thing as a sturdy proof connecting the 2 teams or malware households. The character of the sufferer organizations doubtless makes them fascinating targets for a number of APT teams, so any overlaps could possibly be a coincidence.
“The affected organizations, each governmental and navy, present that this group is concentrated on very high-profile targets and might be used to realize essential targets, doubtless associated to geopolitical pursuits,” the Kaspersky researchers stated.
The Kaspersky report consists of numerous file hashes for the found ToddyCat malware samples in addition to different indicators of compromise.