Threat Research

ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia

Securonix

ToddyCat is a recently identified APT that uses two previously unknown tools, Samurai backdoor and Ninja Trojan, to target high-profile entities in Europe and Asia since December 2020. The operation began with Exchange server compromises and a China Chopper web shell, then escalated via ProxyLogon to additional organizations, with a multi-stage infection chain and in-memory, modular payloads designed to evade detection. hashtags: #ToddyCat #Samurai #Ninja #ChinaChopper #ProxyLogon #MicrosoftExchange #Telegram

Keypoints

  • ToddyCat is a relatively new APT identified by two unknown tools: Samurai backdoor and Ninja Trojan.
  • The group first compromised selected Microsoft Exchange servers in December 2020 using an unknown exploit and deployed the China Chopper web shell.
  • From February 26 to March, the attacker escalated operations by abusing the ProxyLogon vulnerability to compromise multiple organizations across Europe and Asia.
  • The infection chain is multi-stage, starting with a dropper, then a DLL loader, followed by a .NET loader, and finally the Samurai backdoor.
  • Samurai is a modular, in-memory backdoor that handles encrypted HTTP-based C2 and can execute on-the-fly compiled C# payloads; it also loads Ninja in some cases for post-exploitation.
  • Ninja Trojan is a C++ post-exploitation toolkit capable of remote control, process/file management, multiple reverse shells, code injection, plugin loading, and proxy/tunneling functionality to blend in with legitimate traffic.
  • Victims include government and military entities across Taiwan, Vietnam, and later Afghanistan, India, Iran, and several other countries; some campaigns used Telegram to distribute loaders.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attacker exploited Microsoft Exchange via ProxyLogon to compromise multiple organizations; β€œFrom February 26 until early March, we observed a quick escalation and the attacker abusing the ProxyLogon vulnerability to compromise multiple organizations across Europe and Asia.” Also earlier activity on December 2020 targeted Exchange servers.
  • [T1505.003] Web Shell – The group used the China Chopper web shell on Exchange servers to download and execute the next dropper (debug.exe).
  • [T1543.003] Create or Modify System Process: Windows Service – The dropper creates persistence by configuring registry keys and a service named WebUpdate, with svchost loading the payload.
  • [T1055] Process Injection – The loader loads a malicious library (iiswmi.dll) into svchost.exe, then calls exported functions to stage the next component.
  • [T1105] Ingress Tool Transfer – The dropper downloads and decrypts payloads (e.g., debug.xml) to stage further components in the infection chain.
  • [T1071.001] Web Protocols – Samurai/Ninja communicate via HTTP/HTTPS with C2, including a WebListener handling HTTP POSTs for code delivery and execution.
  • [T1027] Obfuscated/Compressed Files and Information – Payloads are encrypted (3DES, XOR) and base64-encoded, then loaded or decrypted during execution.
  • [T1090] Proxy – Ninja provides proxy capabilities to forward TCP packets between the C2 and remote hosts, enabling multi-hop communication inside networks.

Indicators of Compromise

  • [File Hash] 5cfdb7340316abc5586448842c52aabc – Dropper google.log (Google.log used as a dropper artifact)
  • [File Hash] 93c186c33e4bbe2abdcc6dfea86fbbff – Dropper
  • [File Hash] 8a00d23192c4441c3ee3e56acebf64b0 – Samurai Backdoor
  • [File Hash] f595edf293af9b5b83c5ffc2e4c0f14b – Dll Loader Stage 3 websvc.dll
  • [File Hash] 5a912beec77d465fc2a27f0ce9b4052b – Dll Loader Stage 2 iiswmi.dll
  • [File Hash] 1ad6dccb520893b3831a9cfe94786b82 – Dll Loader Stage 2 fveapi.dll
  • [File Hash] f595edf293af9b5b83c5ffc2e4c0f14b – Dll Loader Stage 3 sbs_clrhost.dll
  • [File Hash] – Ninja Trojan (hash listed as indicator for Ninja)
  • [IP Address] 149.28.28.159 – Ninja C2
  • [Domain] eohsdnsaaojrhnqo.windowshost.us – Ninja C2
  • [File Path] C:inetpubtempdebug.exe – Loader artifact
  • [File Path] C:WindowsTempdebug.xml – Loader artifact
  • [Registry Key] HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost – Used for service-based loading
  • [Registry Key] HKLMSYSTEMControlSet001ServicesWebUpdate – Service persistence

Read more: https://securelist.com/toddycat/106799/