The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew’s tactics and capabilities.
While the group’s arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime.
This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrive.
ToddyCat has also been observed utilizing custom scripts for data collection, a passive backdoor that receives commands with UDP packets, Cobalt Strike for post-exploitation, and compromised domain admin credentials to facilitate lateral movement to pursue its espionage activities.
“We observed script variants designed solely to collect data and copy files to specific folders, but without including them in compressed archives,” Kaspersky said.
“In these cases, the actor executed the script on the remote host using the standard remote task execution technique. The collected files were then manually transferred to the exfiltration host using the xcopy utility and finally compressed using the 7z binary.”
The disclosure comes as Check Point revealed that government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 using a wide variety of “disposable” malware to evade detection and deliver next-stage malware.
The activity, per the cybersecurity firm, relies on infrastructure that overlaps with that used by ToddyCat.