ToddyCat, an advanced APT group named in high-profile attacks in Europe and Asia, has expanded its set of loaders developed from scratch. The group started operations in 2020 and has typically used Nina Trojan and Samurai Backdoor for cyberattacks.
Cybersecurity researchers from Securelist have analysed the new loaders for delivering the Ninja Trojan used by the group. These loaders are disguised as 64-bit binaries and can be invoked through legitimate Windows utility tools like rundll32.exe or sideloaded through trusted executables like the VLC.exe.
The loader then loads an encrypted payload but from another file. This file is also present in the same directory. After the items have been loaded, the data is decoded using the XOR key, resulting in the XOR_KEY block.
This XOR_KEY block is then shuffled using a 64-byte IDX block as an index. This shuffling process results in a specific 256-byte XOR key. The obtained XOR key is used to decrypt the file’s contents, making it readable and executable.
The two variants labelled ‘Update A’ and ‘VLC A’ load their next stage into their process’s address space. The decrypted payload is expected to be a library with an exported function named ‘Start’ or ‘_,’ depending on the variant.
On the other hand, the variant VLC B behaves a bit differently. It creates a new process, ‘wusa.exe’ (Windows Update Standalone Installer), a legitimate Windows program found in the System32 directory. The trojan then injects the decrypted payload into the address space of this legitimate process and then runs it using the ‘CreateRemoteThread’ function.
In the News: Can ChatGPT beat Google to become the preferred AI assistant?
Tailored loader
Notably, researchers have also observed ToddyCat using tailored loaders on specific targets. These loaders are customised for each victim’s system and use a unique decryption scheme to load a library especially tailored to the target environment.
The tailored loader has similarities with the variant VLC A. This means that the attackers can use similar decryption and execution techniques. The tailored loader collected system-specific information with the help of ‘GetVolumeNameForVolumeMountPointA’ function.
The encrypted payload is stored in the user.key file is specific to the targeted system, making analysis and detection more challenging.
As the analysts believe, this tactic enhances the chances of the group’s long-term persistence on the compromised systems.
The researchers further outlined the methods used by ToddyCat for lateral movement within compromised networks. This involves mounting network shares using compromised domain admin credentials, creating scheduled tasks to execute scripts on remote hosts, and carefully rotating credentials to maintain stealth.
ToddyCat has also been observed using third-party utilities, such as Dropbox uploader and a tool to exfiltrate data to Microsoft OneDrive, to carry out data theft and exfiltration.
In the News: California implements Right to Repair Act empowers DIY repairs
