Investigators from Kaspersky warn of an ongoing campaign carried out by an advanced persistent threat group (APT) called ToddyCat, whose aim is to compromise multiple Microsoft Exchange servers using two malicious programs: the Samurai backdoor and the Ninja Trojan. The campaign was mainly aimed at public administration and the military sector in Europe and Asia.
ToddyCat is a relatively new and sophisticated APT group, whose activity was first detected by Kaspersky researchers in December 2020, when it carried out a series of attacks on target Microsoft Exchange servers. Between February and March 2021, Kaspersky saw a rapid escalation when ToddyCat began exploiting the ProxyLogon vulnerability on Microsoft Exchange servers to compromise multiple organizations across Europe and Asia.
As of September 2021, the group has shifted its attention to desktop machines related to government and diplomatic entities in Asia. The group constantly updates its arsenal and continues to carry out attacks in 2022.
While it is unclear what the initial vector of infection is for the most recent activities, researchers have performed a thorough analysis of the malware used in the campaigns, concluding that ToddyCat uses the Samurai backdoor and the Ninja Trojan, two sophisticated cyber-espionage tools designed to penetrate deeply into target networks while persistently maintaining its stealth.
Samurai is a modular backdoor used in the final phase of the attack that allows the attacker to administer the remote system and move laterally within the compromised network. This malware stands out because it uses multiple control flows and case statements to jump between instructions, making it difficult to follow the order of actions in the code.
BUT: Hackers attack the Central Bank of Zambia
Furthermore, it is used to launch new malware called Ninja Trojan, a complex collaborative tool that allows multiple operators to work on the same machine simultaneously.
The Ninja Trojan also provides a large set of commands, making it possible for attackers to control remote systems while avoiding detection. It is normally loaded into a device's memory and launched by multiple loaders.
The Ninja Trojan starts the operation by retrieving configuration parameters from the encrypted payload, and then deeply infiltrates a compromised network.
The malware's capabilities include managing file systems, starting inverted shells, forwarding TCP packets and even taking over the network at specific time periods, which can be dynamically configured using a specific command.
The malware also resembles other well-known post-exploit frameworks such as CobaltStrike, with Ninja's features allowing it to limit the number of direct connections from the targeted network to remote command and control systems without Internet access. Furthermore, it can control HTTP flags and camouflage malicious traffic in HTTP requests, making them look legitimate by modifying the HTTP header and URL paths. These capabilities make the Ninja Trojan particularly stealthy.
"The ToddyCat group is a sophisticated threat agent with high technical capabilities, capable of flying under the radar and becoming a high-level organization. Despite the number of loaders and attacks discovered over the past year, we still don't have complete visibility into their operations and tactics. Another notable feature of ToddyCat is its focus on advanced malware capabilities – the Ninja Trojan got its name for a reason. It is difficult to detect and therefore difficult to stop. The best way to deal with this type of threat is to use multi-layer defenses that provide information about internal assets and keep up-to-date with the latest threat information.“, comments Giampaolo Dedola, security expert at Kaspersky.
To learn more about ToddyCat, its techniques and ways to protect your network from potential attacks, see the report in SecureList.
