New Toddycat APT Targets MS Exchange Servers in Europe and Asia

Written by

Kaspersky researchers have discovered a new advanced persistent threat (APT) targeting Microsoft’s Exchange servers in Europe and Asia.

Dubbed ToddyCat, the APT actor would be utilizing two formerly unknown tools Kaspersky called ‘Samurai backdoor’ and ‘Ninja Trojan,’ respectively.

According to the security researchers, ToddyCat first started its activities in December 2020, compromising selected Exchange servers in Taiwan and Vietnam via an unknown exploit that ultimately led to the final execution of the passive backdoor Samurai.

“During the first period, between December 2020 and February 2021, the group targeted a very limited number of servers in Taiwan and Vietnam, related to three organizations,” Kaspersky wrote in its SecureList blog.

“From February 26 until early March, we observed a quick escalation and the attacker abusing the ProxyLogon vulnerability to compromise multiple organizations across Europe and Asia.”

Telemetry collected by Kaspersky seems to hint that affected organizations, both governmental and military, show that ToddyCat is “focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests.”

For context, researchers from ESET as well as from Vietnamese company GTSC independently seemed to spot early signs of ToddyCat’s infections around the same time as Kaspersky.

“That said, as far as we know, none of the public accounts described sightings of the full infection chain or later stages of the malware deployed as part of this group’s operation,” the cybersecurity experts wrote.

While the first wave of attacks exclusively targeted Microsoft Exchange Servers via the Samurai backdoor, some of these attacks witnessed the deployment of another sophisticated malicious program: Ninja.

“This tool is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat,” Kaspersky explained.

From a technical standpoint, Ninja appears to be a collaborative tool allowing multiple operators to work on the same machine simultaneously.

“It provides a large set of commands, which allow the attackers to control remote systems, avoid detection and penetrate deep inside a targeted network,” Kaspersky said.

Some of them, akin to those provided in other notorious post-exploitation toolkits, include the ability to control the HTTP indicators and camouflage malicious traffic in HTTP requests.

“ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile,” the Kaspersky post reads.

“We’ll continue to monitor this group and keep you updated,” the researchers concluded. 

What’s hot on Infosecurity Magazine?