Kaspersky Labs published an article detailing activities they observed from ToddyCat, an APT threat actor targeting government and defense organizations in the Asia Pacific region. Kaspersky focused on the tools and techniques ToddyCat employed for traffic tunneling and data collection.
Kaspersky observed ToddyCat dropping and configuring OpenSSH on compromised Windows hosts. A scheduled task was then created to regularly build a secure shell (SSH) connection to an external IP address. Commonly accessible ports (such as 53 and 445) were used to forward traffic to the target host.
As a fallback method, ToddyCat installed SoftEther VPN (virtual private network) on infected hosts. The executable was disguised as a legitimate security product or a third-party application that might come preinstalled on a machine. To get these tools to infected machines, they were staged on shared drives or transferred utilizing curl from remote web hosts.
Another method ToddyCat utilized to maintain access to a compromised host was using Ngrok agent and Krong. Ngrok is a “lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa.” ToddyCat used Ngrok to route command and control (C2) traffic from a legitimate cloud provider to compromised machines. Krong is a “DLL file side-loaded with a legitimate application digitally signed by AVG TuneUp.” It listens to the port Ngrok is forwarding traffic to and encrypts it using the XOR function, which allows the network traffic to evade inspection.
Both the OpenSSH and SoftEther VPN connections terminate at an FRP (fast reverse proxy) client. This client is a “reverse proxy executable that allows access from the internet to a local machine behind a NAT or Firewall.”
Data Collection Tools
ToddyCat’s main interest is in collecting and exfiltrating data from their targets. They employ several custom tools to find, collect, and package information from their targets. One such tool, deemed “Cuthead,” allows searching the file system for files that match specific keywords, file extensions, and creation date ranges. Any hits for the search criteria are then copied to a password protected zip file for later exfiltration.
Another custom tool developed by ToddyCat, called WAExp, is designed to steal WhatsApp data from Chrome, Firefox, and Edge browsers. Usage of the WhatsApp web app stores user profile details, chat data, phone numbers of conversation participants, and current session data within the browser’s local storage. Any attacker can simply copy this data from the browser’s local storage to gain access to it. WAExp provides functionality to search for Whatsapp local database files and package them into a zip file for exfiltration.
A third custom tool ToddyCat created was named “TomBerBil” by Kaspersky. The tool’s purpose is to steal passwords and cookies saved in Chrome and Edge. This data is stored encrypted on the host, so the tool must identify all users on a machine and then masquerade as those users to attempt to unencrypt these items. If successful, it has further functionality to stage and zip this data for exfiltration.
Lumifi Analyst Comment
ToddyCat is known to target governmental organizations located in the Asia-Pacific region. Hunting specifically for custom tools, such as WAExp or TomBerBil, does not appear to be the most efficient usage of time and energy. ToddyCat’s tools, techniques, and procedures demonstrate the strategies a determined attacker will employ to maintain access to and steal data from a network. There is likely an overlap in tactics with other APT groups/ransomware actors, but they may use commodity tools to accomplish their goals. Threat actors are also often determined to maintain multiple points of access and exfiltrate large amounts of data for additional extortion pressure.
Kaspersky provides three recommendations for organizations in their conclusion which are generally applicable to all organizations. Defenders should block traffic to IP addresses and cloud resources that provide traffic tunneling. Trend Micro published a report on ngrok specifically which provides some excellent mitigation strategies. These include blocking ngrok’s IP space, DNS requests to ngrok[.]io, and HTTPS connections to ngrok[.]io. Defenders can also utilize EDR to monitor and block installation of ngrok. If ngrok is used legitimately in the environment, it should be limited to a few users and machines and any additional usage should be treated as suspicious.
Organizations should also standardize the tools and process administrators use to access hosts remotely. This requires both organizational and managerial support: choosing a single remote access solution and who has access to it, as well as technical controls to monitor for usage outside these parameters. Organizations should strive to settle on a standard tool for remote access and provide access to a small group of users. Any usage outside of this tool or group can then be deemed suspicious.
Finally, users should not store passwords in their browsers. While built-in browser services are convenient for users and have some basic security controls (passwords aren’t stored in plaintext), they are not the right solution for saving and managing passwords in a corporate environment. A better practice would be to utilize a third-party password management solution that can protect a password vault utilizing two-factor authentication. Browsers should be managed to be unable to store credentials natively.