Advanced Persistent Threat actor ToddyCat hacker group is identified to target several countries

An Advanced Persistent Threat (APT)  group named ToddyCat has been attacking Microsoft Exchange servers in Asia and Europe since December 2020.

An Advanced Persistent Threat (APT) is a prolonged and targeted cyberattack in which the intruder gain access to a network and remains undetected. APT attacks are designed to steal valuable information and data from corporate networks.

APT attacked Microsoft Exchange servers in Taiwan and Vietnam by deploying the China Chopper Web Shell in order to gain remote access to the enterprise network activating a multi-stage infection chain.

According to a source the other Asian and European countries targetted include India, Indonesia, Iran, Malaysia, Pakistan, Russia, Slovakia, Uzbekistan, Thailand, Afghanistan, and the U.K.

Kaspersky company situated in Russia has published a report regarding the issue today. It stated, “The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443.”

“The malware allows arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network,” they further said.

According to the reports of Slovak cybersecurity firm ESET, ToddyCat has successfully exploited ProxyLogon Exchange in March 2021 to target email servers of government bodies across Asia and Europe. The ProxyLogon refers to Microsoft vulnerability number CVE-2021-26855. The threat actor can gain access to the email servers via ProxyLogon exploitation.

Attackers deployed China Chopper Web Shell to create a Windows Registry modification to launch successively a second-stage and then a third-stage .NET loader to run a Samurai backdoor.

Samurai backdoor let the threat actor bypass normal authentication or encryption of the device. Samurai implant also let multiple users gain access to the compromised device.

Kaspersky security researcher Giampaolo Dedola said, “ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile.”

Kaspersky researchers are concerned that the threat actor group is targeting both government and military sectors. They said, “The affected organizations, both government and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interest.”