ToddyCat: your hidden email assistant. Part 1

MITRE Techniques

• [T1555.003] Credentials from Web Browsers – TomBerBil collects browser files (Login Data, Cookies, History, Local State, Firefox key files) by copying them over SMB from remote hosts (“…the tool retrieves … list of user directories … copies Login Data, Cookies, History …”).
• [T1555] Credentials from Password Stores – TomBerBil copies DPAPI Protect and Credentials folders to obtain master keys required to decrypt browser-stored secrets (“…copies files containing the user encryption keys that are used by DPAPI”).
• [T1114.001] Email Collection: Local Email – TCSectorCopy/xCopy copies locked Outlook .ost files block-by-block to exfiltrate mailbox data (“…designed for block-by-block copying of files that may be inaccessible by applications … copied user OST files”).
• [T1114] Email Collection – XstReader/XstExport is used to export content and attachments from copied OST files into readable formats for exfiltration (“…used XstReader to export the content of the previously copied OST files … export of all messages and their attachments”).
• [T1057/T1005] Process Discovery / Data from Local System Memory – SharpTokenFinder (and ProcDump usage) dumps memory of Office/M365 processes to locate JWT access tokens in process memory (“…tool searches system for … OUTLOOK … opens each process … dump their memory … searches for ‘eyJ0eX[a-zA-Z0-9._-]+’”).
• [T1563/T1021] Lateral Movement / SMB – The group uses SMB to access remote C$ shares and copy user profile data and browser files from other hosts (“…attempts to establish an SMB connection to the shared resource c$ … copies via SMB to the local folder”).
• [T1560.001] Archive Collected Data – The operators compress dumps and exported files (using WinRAR example) before exfiltration (“…file is added to a dmp.rar archive using WinRAR … sent this file to their host via SMB”).