1. Home
  2. Groups
  3. ToddyCat

ToddyCat

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.[1][2]

ID: G1022
Version: 1.0
Created: 03 January 2024
Last Modified: 14 February 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

ToddyCat has run net user %USER% /dom for account discovery.[2]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ToddyCat has used Powershell scripts to perform post exploit collection.[2]
.003 Command and Scripting Interpreter: Windows Command Shell

ToddyCat has used .bat scripts and cmd for execution on compromised hosts.[2]
Enterprise T1005 Data from Local System

ToddyCat has run scripts to collect documents from targeted hosts.[2]
Enterprise T1074 .002 Data Staged: Remote Data Staging

ToddyCat manually transferred collected files to an exfiltration host using xcopy.[2]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

ToddyCat has used a DropBox uploader to exfiltrate stolen files.[2]
Enterprise T1190 Exploit Public-Facing Application

ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations.[1]
Enterprise T1083 File and Directory Discovery

ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.[2]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

ToddyCat has hidden malicious scripts using powershell.exe -windowstyle hidden. [2]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Prior to executing a backdoor ToddyCat has run cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683 to allow the targeted system to receive UDP packets on port 49683.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ToddyCat has used the name debug.exe for malware components.[1]
Enterprise T1106 Native API

ToddyCat has used WinExec to execute commands received from C2 on compromised hosts.[2]
Enterprise T1095 Non-Application Layer Protocol

ToddyCat has used a passive backdoor that receives commands with UDP packets.[2]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

ToddyCat has executed net group "domain admins" /dom for discovery on compromised machines.[2]
Enterprise T1566 .003 Phishing: Spearphishing via Service

ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.[1]
Enterprise T1057 Process Discovery

ToddyCat has run cmd /c start /b tasklist to enumerate processes.[2]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

ToddyCat has used locally mounted network shares for lateral movement through targated environments.[2]
Enterprise T1018 Remote System Discovery

ToddyCat has used ping %REMOTE_HOST% for post exploit discovery.[2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.[2]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

ToddyCat can determine is Kaspersky software is running on an endpoint by running cmd /c wmic process where name="avp.exe".[2]
Enterprise T1082 System Information Discovery

ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.[2]
Enterprise T1049 System Network Connections Discovery

ToddyCat has used netstat -anop tcp to discover TCP connections to compromised hosts.[2]
Enterprise T1078 .002 Valid Accounts: Domain Accounts

ToddyCat has used compromised domain admin credentials to mount local network shares.[2]
Enterprise T1047 Windows Management Instrumentation

ToddyCat has used WMI to execute scripts for post exploit document collection.[2]

Software

ID Name References Techniques
S0020 China Chopper [1] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [2] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S1101 LoFiSe [2] Archive Collected Data, Automated Collection, Data from Local System, Data Staged: Local Data Staging, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading
S0039 Net [2] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [2] System Network Connections Discovery
S1100 Ninja [1] Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Encoding: Non-Standard Encoding, Data Obfuscation, Data Obfuscation: Protocol or Service Impersonation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Environmental Keying, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Timestomp, Inter-Process Communication, Masquerading: Match Legitimate Name or Location, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Phishing: Spearphishing via Service, Process Discovery, Process Injection, Proxy: Multi-hop Proxy, Proxy: Internal Proxy, Scheduled Transfer, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File
S1102 Pcexter [2] Data from Local System, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading
S0097 Ping [2] Remote System Discovery
S1099 Samurai [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Compile After Delivery, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information, Proxy, Query Registry, Software Discovery

References

  1. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  1. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.