The advanced persistent threat (APT) group known as ToddyCat has evolved its tactics, targeting high-profile government entities in Europe and Asia. According to cybersecurity researchers, the group has deployed a new set of sophisticated tools designed to maintain persistence, control compromised networks, and exfiltrate specific data. The initial access vector for these attacks often involves exploiting vulnerabilities in Microsoft Exchange servers.

This campaign, detailed by researchers from Kaspersky’s Global Research and Analysis Team (GReAT), highlights the group’s focus on long-term espionage and data theft. The new components in ToddyCat’s arsenal demonstrate a significant upgrade in their operational capabilities.

New Malware Arsenal: Samurai and Ninja

Among the new tools is a backdoor named Samurai. This malware operates as a passive backdoor, giving the attackers remote access and control over infected systems. Its primary function is to establish and maintain a persistent foothold within the victim’s network, allowing for sustained intelligence gathering. The group also deploys a trojan called Ninja, which enables attackers to manage multiple compromised machines from a centralized point and facilitate lateral movement across the network.

Targeting Cloud and Email Data

ToddyCat’s data exfiltration strategy specifically targets sensitive communication data. The group uses a custom tool named LoFi to actively search for and steal Microsoft Outlook data files, including offline storage tables (.OST) and personal storage tables (.PST). By exfiltrating these email archives, the attackers gain access to extensive communication histories.

In addition to email data, the attackers have been observed stealing Microsoft 365 access tokens. These tokens are extracted from user data folders associated with web browsers such as Google Chrome and Microsoft Edge. With these stolen tokens, the threat actors can gain unauthorized access to a victim’s Microsoft 365 cloud resources, effectively bypassing standard authentication measures.

Source: https://www.csoonline.com/article/4096650/toddycat-apt-evolves-to-target-outlook-archives-and-microsoft-365-tokens.html