Threat Research

ToddyCat: Keep calm and check logs

Securonix

ToddyCat is an advanced APT actor whose latest activity expands its loader and post-exploitation toolkit, detailing how it compromised public-facing servers, loaded a Ninja Trojan, and moved to data collection and exfiltration using multiple loaders and droppers. The report covers standard and tailored loaders, loader persistence, LoFiSe data collection, and various exfiltration paths (DropBox and OneDrive) alongside discovery and lateral movement techniques.
#ToddyCat #NinjaTrojan

Keypoints

  • ToddyCat expanded its loader family with three variants (Update A, VLC A, VLC B) that use legitimate binaries (rundll32.exe or VLC) to inject malicious code.
  • Standard loaders decrypt payloads in memory via a custom XOR-based scheme and load a final stage that exports Start or _ functions depending on the variant.
  • Tailored loaders exist for specific machines, using system-specific data (e.g., drive properties) to generate unique XOR keys and ensure persistence via Registry and services.
  • The final payloads include Ninja (C++ malware) and LoFiSe (data collection DLL) with capabilities such as process enumeration, reverse shells, and code injection.
  • ToddyCat’s data theft uses LoFiSe to identify files, hash them, archive with 7zip/RAR, and exfiltrate via DropBox or OneDrive; cloud exfil is a notable trait.
  • Post-exploitation discovery and lateral movement leverage net, ping, WMI, and SMB shares, with credential rotation and scheduled tasks for persistence.
  • Indicators of compromise include specific file hashes, mutexes (MicrosoftLocalFileService), domain and URL IOCs, and known loader/file paths across systems.

MITRE Techniques

  • [T1218.011] Signed Binary Proxy Execution – Rundll32 loads 64-bit loader DLLs (e.g., “Libraries loaded by rundll32.exe”).
  • [T1574.002] DLL Side-Loading – VLC.exe and other legitimate apps sideload malicious libraries (e.g., “abused to sideload the malicious library”).
  • [T1055] Process Injection – Final stage injected into target memory or new wusa.exe process memory, using techniques like CreateRemoteThread. “Injected in new wusa.exe process memory.”
  • [T1543.003] Windows Service – Attacker creates a new service to load the tailored loader (e.g., “ServiceDll … apibridge.dll”).
  • [T1112] Modify Registry – Registry keys designed to force svchost.exe to load a service at startup (FontCacheSvc).
  • [T1059.001] PowerShell – PowerShell usage with bypass options during execution (e.g., “-exec bypass”).
  • [T1053.005] Scheduled Task – Use of schtasks to create/run/delete tasks for discovery or execution (e.g., “The scheduled task can typically contain a single discovery command …”).
  • [T1047] Windows Management Instrumentation – LoFiSe and data-collection scripts enumerate disks using WMI (e.g., Get-WmiObject Win32_LogicalDisk). Quote: “The collection script uses WMI to enumerate files on the targeted host’s disks.”
  • [T1087.002] Domain Account Discovery – Discovery of domain admins/users and domain computers during post-exploitation (net group, net user, etc.).
  • [T1021.001] Remote Services (WMI/SMB) – Lateral movement via local network shares using compromised credentials (net use … /user:).
  • [T1560.001] Archive Collected Data – Compression of collected files with 7zip/RAR before exfiltration (e.g., “compression is performed using tools such as 7zip or the RAR utility”).
  • [T1567.001/002] Exfiltration to Cloud Storage – Dropbox and OneDrive exfiltration utilities (e.g., “DropBox uploader” and “exfiltrate archive files to Microsoft OneDrive”).
  • [T1071.001] Web Protocols – Beacons communicate with C2 URLs (e.g., hxxps://solitary-dawn-61af.mfeagents.workers.dev/… and hxxps://www.githubdd.workers.dev/…).
  • [T1027] Obfuscated/Compressed Files and Information – XOR-based decryption and in-memory decryption of payloads (e.g., “data are then decoded using XOR”).

Indicators of Compromise

  • [Domain] – solitary-dawn-61af.mfeagents.workers.dev, www.githubdd.workers.dev (C2/domains used by Ninja/CobaltStrike).
  • [URLs] – hxxps://solitary-dawn-61af.mfeagents.workers[.]dev/collector/3.0/, hxxps://www.githubdd.workers[.]dev/fam/mfe?restart=false (C2/Web).
  • [Mutex] – MicrosoftLocalFileService (used by loader persistence across targets).
  • [Files (hashes)] – 97D0A47B595A20A3944919863A8163D1, 828F8B599A1CC4A02A2C3928EC3F5F8B (loader/hash indicators).
  • [Files (paths)] – C:Program Files Windows Mail AcroRd64.exe (LoFiSe launcher), C:ProgramData Localuser.key (tailored loader data), C:WindowsSystem32update.bin (encrypted payload), C:Intelupdate.bin, C:ProgramDataMicrosoftNetworkaspnet.exe (backdoor), C:ProgramData Microsoft VSPMSG dll (Pcexter).
  • [Domain/URL/Path groupings] – C2 domains and exfiltration endpoints observed in the report; sample paths include C:WindowsSystem32playlist.dat and C:ProgramDataLocaluser.key as encrypted payloads.
  • [Hashes for UDP backdoor] – 65AF75986577FCC14FBC5F98EFB3B47E (Passive UDP backdoor).
  • [Hashes for LoFiSe] – 14FF83A500D403A5ED990ED86296CCC7, 4AD609DDDF2C39CDA7BDBE2F9DC279FD (LoFiSe indicators)
  • [Dropbox uploader hash] – D B O R G .exe? See table: d b_org.exe /DropBox (example: DB_ORG.EXE).

Read more: https://securelist.com/toddycat-keep-calm-and-check-logs/110696/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint