Researchers at the Kaspersky Lab have published a Analysis Formerly an unregistered Advanced Persistent Threat (APT) group that they dubbed Todikat.
The threat actor, who has targeted high-profile companies in Asia and Europe, often hacks into Internet-oriented Microsoft Exchange servers to break up companies, following a multi-stage infection chain that installs two custom malware programs.
“We still have very little information about this actor, but we know that its main distinguishing feature is the two previously unknown tools we call ‘Samurai Backdoor’ and ‘Ninja Trojan’,” the researchers said.
Exploitation of Microsoft Exchange
According to Kaspersky Lab’s telemetry, ToddyCat’s malicious promotions go back to December 2020 when the group targeted a limited number of Microsoft Exchange servers belonging to companies in Taiwan and Vietnam.
It is unknown at this time what he will do after leaving the post. Wild is discovered. It is possible that Todicat was one of the hacker groups, with Chinese state-sponsored actor Hafnium, who gained exploit access before the patch.
Like Hafnium, after compromising with the Exchange server, Todicat hackers installed an alternative to Web Shell চায় China Chopper জন্য to maintain access to the servers. They then used this access to download and execute a malware dropper called debug.exe, which was intended to set up multiple registry keys and decrypt additional payloads for execution. The transmission chain involves two additional malware loaders containing encrypted payloads and eventually a backdoor program that Kaspersky researchers call samurai.
Samurai and ninja back door
Samurai is a modular backdoor written in C # using the .NET HTTPListener class to receive and interpret HTTP POST requests. Attackers use this functionality to send encrypted C # source code which decrypts backdoor and executes during runtime.
Kaspersky researchers say that “malware is obscured by an algorithm designed to increase the difficulty of reverse engineering by complicating the reading of code.” Makes it hard to track. “
Researchers have identified multiple samurai modules used by attackers that allow them to execute remote commands, count files on a local disk, exfiltrate files, and open proxy connections to remote IP addresses at specific ports and process responses.
“Troubled administration of Samurai Backdoor using this framework argument suggests that Samurai Backdoor is a large solution server-side component providing at least one interface for other client component operators that can be used to automatically upload some predefined automatic modules.” .
In certain cases, the samurai backdoor was used to set up another malware program that researchers called Ninja. This Trojan program is written in C ++ and it provides much more complex, complete remote control over the attacker’s system. Researchers suspect that the Trojan is part of a larger anti-exploitation toolkit created by a commercial group such as Cobalt Strike.
Ninja Trojan can list and manage running processes; File system management; Start reverse shell session; Inject code indiscriminately and load additional modules.
“Also, the tool can be configured to communicate using multiple protocols and has features to avoid detection, disguising its malicious traffic between HTTP and HTTPS requests that try to validate using popular hostname and URL path combinations,” the researchers said. “The configuration is fully customizable and similar to the famous post-exploitation tools such as Cobalt Strike and other features provided by its flexible C2 profile.”
Ninja malicious agents can be configured to work within specific timelines and act as a server for other agents on the same network, parsing and forwarding requests between them and a C2 server. This allows hackers to work deeper into the network without having to connect to the Internet from all infected machines and instead manage all communications through a single node.
Focus on high-profile targets
Since the attacks began in December 2020, they have continued throughout 2021 and until at least February this year. Kaspersky has targeted organizations in Taiwan, Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, Kyrgyzstan, Uzbekistan and Indonesia.
It’s also worth noting that not all Todicat attacks use Microsoft Exchange as an entry point. In some cases, researchers have discovered a loader for the Ninja Trojan that was delivered to the Zip Archive via the Telegram messaging app. This means that the group is directly targeting specific individuals in order to gain a foothold within the organizations of interest.
Kaspersky researchers have observed some victim overlaps with Chinese-speaking threat actors, most notably with a Chinese APT group that uses a backdoor program called Fanidrim. However, despite some similarities, there is no strong evidence to link the two groups or the malware family. The nature of the hunting organizations probably makes them an attractive target for several APT groups, so any overlap can be a coincidence.
“Both the government and the military have shown that this group focuses on very high-profile goals and is probably used to achieve important goals related to geopolitical interests,” said Kaspersky researchers.
The Kaspersky Report includes various file hashes for Todicat malware samples discovered, as well as other indicators of compromise.
Copyright © 2022 IDG Communications, Inc.