ToddyCat (Websiic ) – Threat Actor

Overview

ToddyCat, an APT group, primarily targets governmental organizations, including defense-related entities, across the Asia-Pacific region. The group launched its operations in December 2020 by exploiting undisclosed vulnerabilities to compromise Exchange servers in Taiwan and Vietnam. This initial breach allowed them to deploy the well-known China Chopper web shell, initiating a complex, multi-stage infection process involving custom loaders and the passive backdoor, Samurai.

Known for its extensive use of diverse tools, ToddyCat focuses on maintaining access to infiltrated networks and exfiltrating sensitive data. Russian cybersecurity firm Kaspersky has characterized the group’s activities as harvesting data on an “industrial scale,” underscoring the significant threat they pose to national security and confidential governmental operations.

Common targets

The group has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia.

Attack Vectors

ToddyCat exploited vulnerabilities in publicly exposed Microsoft Exchange servers, but it also delivers malware through spear-phishing emails that have malicious archives attached. These archives contain the legitimate executables together with rogue side-loaded DLL.

How they Operate

ToddyCat initiated server compromises on December 22, 2020, exploiting an undisclosed vulnerability in the Microsoft Exchange component. This breach enabled the deployment of the China Chopper web shell, which subsequently facilitated the download and execution of another malicious dropper named debug.exe. From February 26, Kaspersky documented consistent use of this infection chain and similar samples as earlier in December and January, now deploying them via ProxyLogon.

Stage 1 – Dropper The dropper, once executed, installs various components and crafts multiple registry keys to coerce the legitimate svchost.exe process into loading the ultimate Samurai backdoor. Debug.exe, the program in question, utilizes a unique function to resolve Windows API calls. It checks if the pointer has been resolved and stored in a global variable, if not, it retrieves the address by decrypting the encrypted API name string using an XOR-based algorithm. This dropper is also responsible for loading an encrypted payload from debug.xml, decrypted using Wincrypt with the CALG_3DES_112 algorithm. Following decryption, the file reveals a structure filled with multiple payloads and values crucial for setting up subsequent stages.

The malware then undertakes a series of steps to stage the next component: it tries creating a directory for storing the DLL for the upcoming stage, checks for and manages existing related services, and verifies the installation of the .NET framework to decide where to drop its payload. If the appropriate registry key is found, it proceeds to deploy the DotNet_Loader_v2_Payload or DotNet_Loader_v4_Payload accordingly and then places a DLL loader in the intended directory to initiate the second stage.

Stage 2 – DLL Loader The created registry keys during the initial stage compel the svchost.exe process to load a malicious C++ developed library, iiswmi.dll, which mimics the dropper’s method for Windows API calls. This DLL loader strives to secure an encrypted payload from the registry, passing it as an argument to another manually loaded DLL during runtime. If successful in reading the specific registry key contents, it loads the aforementioned DLL and invokes the next stage by triggering the Init export with the registry contents as arguments.

Stage 3 – .NET Loader In this phase, the websvc.dll library developed in C# acts as another loader expecting an encrypted payload as input, which consists of two base64-encoded strings separated by a pipe character. This loader decrypts and decompresses the first string to extract another C# library, loaded in memory and executed by invoking a method named “Equals.” The Samurai backdoor, the final payload, operates as a modular backdoor using .NET HTTPListener to manage HTTP POST requests containing encrypted C# source code, which are compiled and executed during runtime. The sophistication continues with the malware’s obfuscation techniques, which complicate reverse engineering by flattening control flow and randomly naming functions.
In specific scenarios, the Samurai backdoor facilitates the deployment of Ninja, another complex malware developed in C++, designed for extensive control over compromised networks. Ninja provides capabilities for process management, file system control, and initiating reverse shell sessions, among others, and can be configured for stealth communication using popular web protocols. This tool underscores the advanced level of the post-exploitation toolkit developed by ToddyCat, enhancing their operational discretion and persistence within targeted networks.

ToddyCat’s toolkit has expanded significantly, incorporating a sophisticated array of new malware tools designed for persistence, file manipulation, and loading additional payloads at runtime. Among these tools are several loaders equipped to activate the Ninja Trojan as a second stage. Additional utilities include LoFiSe, which locates and gathers files of interest; a Dropbox uploader designed to store stolen data in the cloud; and Pcexter, a tool used to send archive files to Microsoft OneDrive. These programs demonstrate ToddyCat’s continued development and maintenance of complex cyberespionage tools.

Their latest software suite includes a variety of tunneling and data gathering applications deployed once the attackers have secured access to privileged accounts on the compromised system. This suite features a Reverse SSH tunnel using OpenSSH, a repurposed SoftEther VPN disguised under benign filenames like “boot.exe” and “kaspersky.exe,” and Ngrok and Krong to encrypt and redirect C2 traffic. Additional tools include the FRP client, a fast reverse proxy developed in Golang, and Cuthead, a .NET executable designed to search for documents based on specific criteria such as file extension or modification date.

Furthermore, ToddyCat utilizes WAExp, a .NET tool for capturing data from the WhatsApp web app and archiving it, and TomBerBil, a program designed to extract cookies and credentials from popular web browsers like Google Chrome and Microsoft Edge. These applications enable persistent connections to the actor-controlled infrastructure, using multiple channels as a redundancy strategy to ensure continued access even if some communication tunnels are compromised and shut down.

Lastly, ToddyCat employs a variety of custom scripts and sophisticated methods for data collection and network infiltration. This includes a passive backdoor that communicates via UDP packets, the use of Cobalt Strike for advanced post-exploitation tactics, and compromised domain admin credentials to facilitate lateral movement within networks. These tactics underscore ToddyCat’s capability to carry out targeted espionage activities, maintaining stealth and persistence within infected systems.

Significant Attacks

• An advanced persistent threat (APT) group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. (June 2022)
• “Stayin’ Alive”, a campaign that operates in Asia, primarily targeting the Telecom industry, as well as government organizations. The tools used in this campaign are tied to ToddyCat, a Chinese-affiliated threat actor operating in the region. (October 2023)
• ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data. (April 2024)

References:

• Microsoft Exchange servers hacked by new ToddyCat APT gang
• STAYIN’ ALIVE – TARGETED ATTACKS AGAINST TELECOMS AND GOVERNMENT MINISTRIES IN ASIA
• ToddyCat Hacker Group Uses Advanced Tools for Industrial-Scale Data Theft
• APT ToddyCat
• ToddyCat: Keep calm and check logs
• ToddyCat is making holes in your infrastructure
• Exchange servers under siege from at least 10 APT groups