A sophisticated cyber-espionage campaign attributed to the Advanced Persistent Threat (APT) group known as ToddyCat has been identified targeting governmental and military entities in Europe and Asia. Active since at least December 2020, this campaign utilizes a custom malware suite to gain persistent access and exfiltrate sensitive email communications directly from compromised servers.

The group, also tracked under the name ShroudedSnooper, has focused its operations on organizations located in Vietnam, Malaysia, Indonesia, Taiwan, India, Hong Kong, and Russia. The primary method for initial compromise involves the exploitation of vulnerabilities in Microsoft Exchange servers, allowing the attackers to establish a foothold within the target’s network.

The Ninja and Samurai Malware Arsenal

Once inside a network, ToddyCat deploys its primary backdoor, which security researchers have named Ninja. This malware is a highly advanced tool that provides attackers with extensive control over a compromised machine. Ninja is designed for stealth and persistence, capable of managing multiple operator sessions simultaneously, executing commands received from a control server, and employing fileless techniques to evade detection.

An evolution of this tool, dubbed Samurai, has also been observed. Samurai is a newer, updated version of the Ninja backdoor, incorporating additional features and refinements to enhance its operational capabilities and stealth. These backdoors serve as the core components for system control and the deployment of more specialized modules.

A Passive Backdoor for Outlook Web Access

A key component of the ToddyCat campaign is a specialized passive backdoor designed specifically for Microsoft Outlook Web Access (OWA). This malicious module is loaded into the Internet Information Services (IIS) web server process that runs OWA. It operates by passively inspecting all incoming HTTP requests to the server.

The backdoor activates when it detects an HTTP request containing a specially crafted cookie, which acts as a secret key. Upon receiving a valid request, the module executes commands embedded within the request body. Its primary function is to search and steal emails directly from a user’s mailbox. The attackers can specify search criteria including email subject, body content, sender, recipient, and specific date ranges. The collected email data is then compressed into a ZIP archive and sent back to the attacker within the HTTP response.

Source: https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/