Elusive ToddyCat APT Targets Microsoft Exchange Servers

Microsoft Exchange Serves of high-profile government and military installations in Europe and Asia were targeted by a new advanced persistent threat (APT) group. Its nickname – ToddyCat. These cyber attacks began in December 2020. However, their complexity wasn’t understood until now.

Security expert Giampaolo Dedola states in a report outlining the advanced persistent threat that:

“The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443.”

The ToddyCat APT Cyberattacks

The relatively new ToddyCat APT uses two formerly unknown tools, the Samurai backdoor and the Ninja trojan. They take complete control of a victim’s hardware and network.

The Samurai backdoor uses arbitrary C# code execution. It is used with multiple modules to allow the attacker to administrate remote system control and infiltrate a targeted network. The Samurai backdoor can also launch and initiate the malicious software Ninja.

ToddyCat carried multiple strings of attacks on exchange servers between December 2020 and February 2021. It occurred in Taiwan and Vietnam. Between February 2021 and May 2021, cybercriminals increased the volume of their attacks. They targeted organizations from India, Iran, Malaysia, Russia, Slovakia, and the U.K.

Researchers observed that the bad actors were now abusing the ProxyLogon vulnerability. The same group is suspected of attacking military and government organizations in:

  • Uzbekistan,
  • Indonesia, and
  • Kyrgyzstan (after May 2021)

The cyberattacks expanded to desktop systems, while previously, only Microsoft Exchange Servers were the main target.

How the Cybercriminals Conducted their Attack Sequence

After deploying the China Chopper web shell, the attackers could execute and install the necessary components and create multiple registry keys. The registry modification “svchost” loads a malicious library, “iismwmi.dll,” and makes way for the third stage.

See also  Software: Science and Technology: Lenta.ru

The “.Net Loader” executes in the third stage, and the Samurai backdoor is initiated. This malware is tough to detect during reverse engineering processes. This is because it can jump between instructions and flattens the control flow with various other obfuscation techniques.

In the attack sequences, the Ninja malicious tool was used together with the Samurai backdoor. They coordinate and collaborate with multiple operators simultaneously on the same device. Ninja provides many commands allowing a bad actor to control remote systems. It helps them penetrate deep inside the network and avoid detection.

In terms of capabilities and features, the Ninja malicious program is similar to the toolkit Cobalt strike. It can manipulate HTTP indicators and hide malicious traffic in HTTP requests. It modifies HTTP headers and URL paths to make the bad ones seem legit.

How to Stay Safe

Bad actors and cybercriminal groups worldwide are always trying to find new ways of infiltrating systems. In recent years, such cyberattacks have increased. This leaves both governmental, military, and other organizations more vulnerable. Such attackers won’t target only high-profile individuals. Even simple citizens or both big and small companies can face these issues.

Thus, it is now more important than ever to stay safe online. Here are a couple of things that can boost your security levels:

Use a VPN With Threat Protection

Today, VPNs are more popular than ever, thanks to their efficiency in guarding our private information and hiding our IP addresses. You can use a VPN to change your geo-location, make your network, and browse the web without being tracked.

See also  The mystery of a mysterious WhatsApp call from 1970 has been solved | Chronicle

Some VPN companies offer more than just privacy. You can get rid of ads, trackers, malware, and more. The NordVPN Threat Protection is a great example of this. Threat protection grants users the ability to halt any cyber threat before it can do any damage to their devices.

This makes your browsing much safer, and it will help you identify malware files or prevent you from landing on malicious websites. Threat protection is also great at blocking online trackers or intrusive ads. It might even help against phishing attacks. Whatever the case, a VPN with threat protection is a powerful duo that can help you stay safe even when it comes to the newest online threats.

Use Premium Antiviruses

There are many premium antiviruses out there that you can use to make your devices more secure. Don’t opt for free antiviruses as they aren’t any good. Antiviruses are always updated on the latest threats and will keep you safe.

Choose premium antiviruses that you feel are the best for your device. In most cases, free antiviruses can ironically be viruses. Apart from this, you will also have to deal with ads or other distracting issues.

Keep Everything Updated

Updates are essential to the security of your device. Bad actors can easily infiltrate our system and steal our personal information without updates. Updates ensure that weak security spots are rectified and strengthened. Be sure to update your OS regularly and all your software.

Leave a Reply

Your email address will not be published.