The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew’s tactics and capabilities.
The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years.
While the group’s arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime.
“We observed script variants designed solely to collect data and copy files to specific folders, but without including them in compressed archives,” Kaspersky said.
“In these cases, the actor executed the script on the remote host using the standard remote task execution technique. The collected files were then manually transferred to the exfiltration host using the xcopy utility and finally compressed using the 7z binary.”
The disclosure comes as Check Point revealed that government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 using a wide variety of “disposable” malware to evade detection and deliver next-stage malware.
The activity, per the cybersecurity firm, relies on infrastructure that overlaps with that used by ToddyCat.
Source: https://thehackernews.com/