1. Home
  2. Groups
  3. ToddyCat

ToddyCat

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.[1][2]

ID: G1022
Version: 1.0
Created: 03 January 2024
Last Modified: 14 February 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

ToddyCat has used WMI to execute scripts for post exploit document collection.[2]
Enterprise T1005 从本地系统获取数据

ToddyCat has run scripts to collect documents from targeted hosts.[2]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

ToddyCat has used the name debug.exe for malware components.[1]
Enterprise T1190 利用公开应用程序漏洞

ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

ToddyCat has used Powershell scripts to perform post exploit collection.[2]
.003 命令与脚本解释器: Windows Command Shell

ToddyCat has used .bat scripts and cmd for execution on compromised hosts.[2]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

Prior to executing a backdoor ToddyCat has run cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683 to allow the targeted system to receive UDP packets on port 49683.[2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.[2]
Enterprise T1074 .002 数据分段: Remote Data Staging

ToddyCat manually transferred collected files to an exfiltration host using xcopy.[2]
Enterprise T1083 文件和目录发现

ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.[2]
Enterprise T1078 .002 有效账户: Domain Accounts

ToddyCat has used compromised domain admin credentials to mount local network shares.[2]
Enterprise T1106 本机API

ToddyCat has used WinExec to execute commands received from C2 on compromised hosts.[2]
Enterprise T1069 .002 权限组发现: Domain Groups

ToddyCat has executed net group "domain admins" /dom for discovery on compromised machines.[2]
Enterprise T1082 系统信息发现

ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.[2]
Enterprise T1049 系统网络连接发现

ToddyCat has used netstat -anop tcp to discover TCP connections to compromised hosts.[2]
Enterprise T1087 .002 账号发现: Domain Account

ToddyCat has run net user %USER% /dom for account discovery.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

ToddyCat can determine is Kaspersky software is running on an endpoint by running cmd /c wmic process where name="avp.exe".[2]
Enterprise T1057 进程发现

ToddyCat has run cmd /c start /b tasklist to enumerate processes.[2]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

ToddyCat has used locally mounted network shares for lateral movement through targated environments.[2]
Enterprise T1018 远程系统发现

ToddyCat has used ping %REMOTE_HOST% for post exploit discovery.[2]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

ToddyCat has used a DropBox uploader to exfiltrate stolen files.[2]
Enterprise T1566 .003 钓鱼: Spearphishing via Service

ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

ToddyCat has hidden malicious scripts using powershell.exe -windowstyle hidden. [2]
Enterprise T1095 非应用层协议

ToddyCat has used a passive backdoor that receives commands with UDP packets.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.[2]

Software

ID Name References Techniques
S0020 China Chopper [1] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 移除指标: Timestomp, 网络服务发现, 输入工具传输
S0154 Cobalt Strike [2] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S1101 LoFiSe [2] 从本地系统获取数据, 劫持执行流: DLL Side-Loading, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 自动化收集
S0039 Net [2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [2] 系统网络连接发现
S1100 Ninja [1] 代理: Multi-hop Proxy, 代理: Internal Proxy, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 执行保护: Environmental Keying, 数据混淆, 数据混淆: Protocol or Service Impersonation, 数据编码: Non-Standard Encoding, 文件和目录发现, 本机API, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统信息发现, 系统网络配置发现, 进程发现, 进程注入, 进程间通信, 钓鱼: Spearphishing via Service, 非应用层协议, 预定传输
S1102 Pcexter [2] 从本地系统获取数据, 劫持执行流: DLL Side-Loading, 文件和目录发现, 通过网络服务渗出: Exfiltration to Cloud Storage
S0097 Ping [2] 远程系统发现
S1099 Samurai [1] 从本地系统获取数据, 代理, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Compile After Delivery, 混淆文件或信息: Dynamic API Resolution, 混淆文件或信息, 软件发现, 输入工具传输, 非应用层协议

References

  1. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  1. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.