ToddyCat APT Adapting Techniques for Stealth and Data Theft

An investigation into the post-compromise tactics of the ToddyCat APT group by Kaspersky researchers reveals their use of network tunnels, evasion techniques, and multiple custom tools to achieve data exfiltration goals. Known for targeting governmental and defense-related organizations primarily in the Asia-Pacific region, ToddyCat focuses on extracting sensitive information from these entities. According to Kaspersky, ToddyCat employs advanced methods to maintain persistent access to compromised systems, deploying a variety of tools once high-privileged user credentials are secured, typically through PsExec or Impacket.

During the post-compromise stage, ToddyCat's operational tactics include establishing traffic tunnels to ensure continuous access and control over infiltrated networks. This includes deploying an "a.bat" script to modify permissions with icacls, rendering certain directories inaccessible even to system administrators to avoid detection and maintain stealth. Kaspersky researchers explain, "Once the permissions have been changed, neither normal users nor administrators will be able to access this folder. Attempting to open it will cause a 'no permission' error." The script adjusts folder permissions to prevent access, effectively locking down critical paths and using these secured nodes to facilitate uninterrupted command and control communications. Their SSH connection is initiated through a scheduled task, connecting to a remote host through port 22222, which redirects network traffic from the server to this port on the compromised host.

Furthermore, the APT group employs a diverse toolkit to bolster their command and control (C2) capabilities and data exfiltration efforts. Tools like SoftEther VPN and Ngrok enhance their ability to tunnel traffic between compromised hosts and their command centers. Additionally, they use the FRP client to create a fast reverse proxy that aids in obfuscating their network traffic. The group also deploys custom malware such as cuthead, a tool designed to recursively search and archive files from infected systems, and WAExp, a data stealer specifically targeting WhatsApp data from browsers.

The ToddyCat APT group's persistent threat activities, documented through targeted cyber-espionage campaigns across Asia and Europe, demonstrate a pattern aimed at high-profile sectors, with consistent targets including governmental and defense entities as well as telecommunications organizations. Past reports from Check Point Research and Kaspersky detail the group's strategic deployment of malware and exploitation of vulnerabilities, notably in Microsoft Exchange servers. These coordinated attacks, characterized by tools such as the China Chopper web shells and various custom-developed backdoors, align with tactics typically attributed to Chinese-speaking threat actors. Kaspersky's detailed report offers crucial insights, providing a glimpse into the necessary detection capabilities needed to monitor for signs of malicious behavior.