In a recent wave of cyberattacks, a sophisticated threat actor group known as "ToddyCat" has been identified targeting Asian telecommunications companies. These attacks are characterized by their use of customized and disposable malware, making them challenging to trace and attribute.
The attack strategy employed by ToddyCat starts with spear-phishing emails. These emails are meticulously crafted to target specific individuals within key organizations, luring them into opening attached ZIP files.
The ZIP files delivered in the spear-phishing emails contain a digitally signed executable file, designed to match the email context, and a malicious DLL that exploits a known vulnerability (CVE-2022-23748) in Audinate's Dante Discovery software. This vulnerability allows the attackers to side-load the "CurKeep" malware onto the victim's system.
CurKeep is a lightweight backdoor that serves as the initial payload. Its functions include establishing persistence on the compromised device, sending system information to a command-and-control (C2) server, and waiting for further instructions. The backdoor can exfiltrate directory lists, execute commands, and handle various file-based tasks, all at the behest of its operators.
ToddyCat employs an array of custom tools and loaders in their campaigns, primarily executed through DLL side-loading methods. Notable among these tools are:
- CurLu Loader: A loader with its own distinct functionalities.
- CurCore: A versatile tool capable of creating files, executing remote commands, and interacting with files on the system.
- CurLog Loader: Another loader contributing to the group's varied toolkit.
One distinct backdoor, 'StylerServ,' acts as a passive listener, monitoring network traffic on specific ports (60810 through 60814). It's designed to identify a specific XOR-encrypted configuration file ('stylers.bin'). While the exact purpose of StylerServ remains undisclosed, it's likely associated with a stealthy configuration serving mechanism for other malware components.
ToddyCat's attacks are highly customized for specific regional targets, with variations in language, filenames, and themes. This level of customization enhances their ability to evade detection and attribution.
Despite the variety of tools used in these attacks, they all connect to the same infrastructure, a connection that had been previously linked to ToddyCat by Kaspersky. This confirms the group's involvement in these attacks.
Shortly after Check Point's report, Kaspersky revealed a parallel cluster of activity from ToddyCat. This cluster employed legitimate VLC executables to load malware using DLL sideloading. Notable in this cluster is the 'Ninja Agent,' which offers capabilities for file management, reverse shells, process management, and more. Other tools used by ToddyCat in these attacks include LoFiSe, Cobalt Strike, DropBox Uploader, and a passive UDP backdoor.
These recent findings suggest that ToddyCat's activities are more extensive and complex than initially thought. The group's adaptability, use of legitimate software, and disposable malware tools make them a persistent and formidable threat to targeted organizations in the Asian telecom sector. As researchers continue to uncover new attack methods and payloads, it's clear that defending against such advanced threats requires ongoing vigilance and proactive cybersecurity measures.