ToddyCat APT Aims High

A new Advanced Persistent Threat (APT) actor has been spotted by Kaspersky cybersecurity researchers attempting attacks on Microsoft Exchange Servers in Asia and Europe. ToddyCat are relatively new to the scene, having been spotted previously by Slovakian security company ESET back in March 2021, where ToddyCat took advantage of the Proxylogon vulnerability on multiple occasions. The group are aiming high with their favorite prey being high profile government and military targets and high-profile organizations. 

Kaspersky researchers discovered two new strains of malware used by ToddyCat attackers that allowed them to gain control and move laterally once inside the servers. After scanning the internet looking for unpatched Microsoft Exchange servers, ToddyCat has used these formerly unknown tools called “Samurai backdoor” and “Ninja Trojan” to advance, albeit with a fairly complex process. 

According to Kaspersky’s analysis and research, the logic of the code suggests that Ninja is a collaborative tool that enables numerous operators to operate the same machine at once. It offers a broad range of commands that let attackers take control of distant devices, evade detection, and get really inside a target network. Some of the features are comparable to those offered by other well-known post-exploitation toolkits. By altering HTTP header and URL paths, it also offers the capability of controlling HTTP indicators and hiding malicious traffic in HTTP requests that seem legal. 

Kaspersky provide the following command you can use to check if the Samurai backdoor is running on your server: #>netsh http show servicestate verbose=yes As described by Microsoft, this command will display a snapshot of the HTTP service, and you can try to find suspicious registered URLs.

Which leads us to our weekly reminder: patch all vulnerabilities and keep systems constantly updated!

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Skip to content