The hacking group ToddyCat, active since 2020, has a documented history of targeting various organizations across Europe and Asia. Their campaigns are characterized by using a variety of specialized tools, such as Samurai and TomBerBil, which are primarily designed to maintain persistence within compromised environments and steal valuable data, including cookies and credentials from popular web browsers like Google Chrome and Microsoft Edge. Earlier in 2024, the group was also linked to exploiting a security flaw in ESET Command Line Scanner (CVE-2024-11859) to deliver a previously undocumented piece of malware, signaling their continuous pursuit of new exploitation techniques to gain initial access or elevate privileges.
Between May and June 2024, a significant evolution in ToddyCat’s arsenal was observed with the detection of a PowerShell variant of TomBerBil. Unlike its earlier C++ and C# iterations, this new version is also capable of extracting data from the Mozilla Firefox browser. A particularly notable feature of this PowerShell variant is its capability to run with privileged access on domain controllers and leverage the SMB protocol to access browser files on remote hosts over shared network resources. The malware is typically launched via a scheduled task that executes a PowerShell command designed to search for and exfiltrate browser history, cookies, and saved credentials. Although the stolen files are encrypted using the Windows Data Protection API (DPAPI), the newer TomBerBil version is equipped to steal the necessary encryption keys to locally decrypt the data after exfiltration.
The threat actors are employing a new tool, TCSectorCopy (or xCopy.exe), specifically to access corporate emails stored in local Microsoft Outlook OST (Offline Storage Table) files. This custom-written C++ utility is engineered to bypass restrictions that typically prevent access to OST files while the Outlook application is running. TCSectorCopy achieves this by accepting the OST file as input, opening the disk as a read-only device, and then proceeding to copy the file’s contents sector-by-sector. Once the entire file is copied to an attacker-controlled location, the contents of the electronic correspondence are then extracted and viewed using an open-source tool called XstReader.
In cases where victim organizations utilize the Microsoft 365 cloud service, ToddyCat has adopted another tactic focused on obtaining access tokens directly from memory. This involves the use of SharpTokenFinder, an open-source C# tool designed to enumerate Microsoft 365 applications for plain text JSON web tokens (JWTs). These tokens, which are used in the OAuth 2.0 authorization protocol, enable the attackers to access corporate email data outside of the compromised network’s perimeter. This method of obtaining tokens directly from the user’s browser or application memory provides persistent, unauthorized access to cloud services.
However, the threat actor has encountered security obstacles, as evidenced in one incident where security software successfully blocked SharpTokenFinder’s attempt to dump the memory of the Outlook.exe process. To circumvent this protection, the operators demonstrated adaptability by switching to the legitimate ProcDump tool from the Sysinternals package. By using ProcDump with specific arguments, the attackers were able to successfully create a memory dump of the Outlook process, illustrating their persistence and willingness to leverage various tools to achieve their ultimate goal of obtaining sensitive corporate data.
Reference:
