New Todicat hacker group on experts’ radar after targeting MS Exchange server


An Advanced Continuing Threat (APT) actor codename Todikat At least since December 2020, Europe and Asia have been linked to a string of attacks targeting high-profile entities.

The relatively new adversary group is said to have launched its activities by setting up a China Chopper web shell and activating a multi-stage infection chain using an unknown exploit targeting Microsoft Exchange servers in Taiwan and Vietnam.

Other prominent countries targeting Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom and Uzbekistan are among the other countries where the threat actor developed his toolset during various campaigns.

“The first wave of attacks targeted exclusively Microsoft Exchange servers, which were compromised with Samurai, a sophisticated passive backdoor that typically operates on ports 80 and 443,” said Russian cybersecurity company Kaspersky. Says In a report published today.

Cyber ​​security

“The malware allows C # code to be executed arbitrarily and is used with multiple modules that allow the attacker to manage remote systems and move sideways within the target network.”

ToddyCat, also tracked by Slovak cybersecurity firm ESET under moniker Websiic, first came to light in March 2021 to exploit the flaws of the ProxyLogen exchange to target the email servers of private companies in Asia and a government agency in Europe.

After installing the China Chopper web shell, the sequence of attacks leads to the performance of a dropper which, in turn, is used to modify the Windows registry to launch a second-level loader, which, as part of it, is designed to trigger. The third level .NET loader that is responsible for running the samurai.

In addition to using techniques such as opacity and control flow leveling to prevent backdoor, reverse engineering, it is possible to modulate elements that execute arbitrary commands and extract files of interest from the compromised host.

Also observed in certain cases is a sophisticated tool called Ninja which was developed by Samurai Implant and probably acts as a collaborative tool that allows multiple operators to work simultaneously on the same machine.

Cyber ​​security

Despite its features similar to other post-exploitation toolkits such as Cobalt Strike, malware enables attackers to “control remote systems, avoid detection, and penetrate deeper into targeted networks”.

Although Todikat’s victims are traditionally associated with the country and sector targeted by the Chinese-speaking group, there is no evidence that Modus Operandi, a well-known threat actor, was tied up.

“Todicat is a sophisticated APT group that uses multiple techniques to avoid detection and as a result maintains a low profile,” said Giampaolo Dedola, a Kaspersky security researcher.

“Affected organizations, both government and military, show that the group focuses on very high-profile goals and is probably used to achieve important goals related to geopolitical interests.”

Source link