Chinese APT group ToddyCat launches new cyber-espionage campaigns

/in


Researchers warn of renewed attacks against high-profile organizations launched by a Chinese APT actor known in the industry as ToddyCat. The group has been refining its tactics as well as malware toolset since 2020 when it was originally discovered.

In a new report this week, researchers from security firm Check Point Software Technologies documented a ToddyCat campaign they dubbed “Stayin’ Alive” that targeted organizations from Asian countries primarily from the telecom and government sectors.

“The Stayin’ Alive campaign consists of mostly downloaders and loaders, some of which are used as an initial infection vector against high-profile Asian organizations,” the Check Point researchers said. “The first downloader found called CurKeep, targeted Vietnam, Uzbekistan, and Kazakhstan. As we conducted our analysis, we realized that this campaign is part of a much wider campaign targeting the region.”

In a separate report this week, researchers from Kaspersky Lab also documented a new generation of malware loaders used by ToddyCat in recent attacks, including some that seem to be tailored for each victim. The Kaspersky researchers originally uncovered ToddyCat activities in late 2020 after the group targeted high-profile Asian and European organizations.

DLL side-loading a favored ToddyCat technique

One of ToddyCat’s favorite techniques of deploying malware on computers is through a technique called DLL side-loading. This involves finding a legitimate executable from an application that searches for a particular DLL file in the same directory and then replacing that DLL with a malicious one.

Because the originally executed file belongs to a legitimate application or service, it’s likely to be digitally signed and whitelisted in some security products. The attackers hope that the subsequent loading of a malicious DLL by a legitimate executable won’t be detected or blocked.

In the past ToddyCat exploited vulnerabilities in publicly exposed Microsoft Exchange servers, but it also delivers malware through spear-phishing emails that have malicious archives attached. These archives contain the legitimate executables together with the rogue…

Source…