Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа ToddyCat
Риски
Каталоги
MITRE ATT&CK
Преступная группа
ToddyCat
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ToddyCat

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
ID: G1022
Associated Groups: 
Version: 1.0
Created: 03 Jan 2024
Last Modified: 14 Feb 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

ToddyCat has run `net user %USER% /dom` for account discovery.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ToddyCat has used Powershell scripts to perform post exploit collection.(Citation: Kaspersky ToddyCat Check Logs October 2023)
.003 Command and Scripting Interpreter: Windows Command Shell

ToddyCat has used .bat scripts and `cmd` for execution on compromised hosts.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Enterprise T1074 .002 Data Staged: Remote Data Staging

ToddyCat manually transferred collected files to an exfiltration host using xcopy.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

ToddyCat has used a DropBox uploader to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1564 .003 Hide Artifacts: Hidden Window

ToddyCat has hidden malicious scripts using `powershell.exe -windowstyle hidden`. (Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Prior to executing a backdoor ToddyCat has run `cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683` to allow the targeted system to receive UDP packets on port 49683.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

ToddyCat has used the name `debug.exe` for malware components.(Citation: Kaspersky ToddyCat June 2022)
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

ToddyCat has executed `net group "domain admins" /dom` for discovery on compromised machines.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1566 .003 Phishing: Spearphishing via Service

ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.(Citation: Kaspersky ToddyCat June 2022)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

ToddyCat has used locally mounted network shares for lateral movement through targated environments.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

ToddyCat can determine is Kaspersky software is running on an endpoint by running `cmd /c wmic process where name="avp.exe"`.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

ToddyCat has used compromised domain admin credentials to mount local network shares.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Software
ID Name References Techniques
S1100 Ninja (Citation: Kaspersky ToddyCat June 2022) Rundll32, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Malicious File, Symmetric Cryptography, Windows Service, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Scheduled Transfer, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Multi-hop Proxy, Inter-Process Communication, Data Obfuscation, Non-Application Layer Protocol, Protocol or Service Impersonation, Non-Standard Encoding, Web Protocols, Environmental Keying, Spearphishing via Service, Internal Proxy, Compression
S0039 Net (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S1101 LoFiSe (Citation: Kaspersky ToddyCat Check Logs October 2023) Local Data Staging, DLL, Automated Collection, Data from Local System, Archive Collected Data, File and Directory Discovery
S0104 netstat (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: TechNet Netstat) System Network Connections Discovery
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Kaspersky ToddyCat June 2022) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) Password Guessing, Data from Local System, Timestomp, Web Shell, File and Directory Discovery, Windows Command Shell, Software Packing, Web Protocols, Network Service Discovery, Ingress Tool Transfer
S0154 Cobalt Strike (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S1099 Samurai (Citation: Kaspersky ToddyCat June 2022) Standard Encoding, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, Native API, Data from Local System, Modify Registry, Proxy, File and Directory Discovery, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, Compile After Delivery, Windows Command Shell, Web Protocols, Software Discovery, Ingress Tool Transfer, Dynamic API Resolution, Compression
S0097 Ping (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: TechNet Ping) Remote System Discovery
S1102 Pcexter (Citation: Kaspersky ToddyCat Check Logs October 2023) DLL, Data from Local System, File and Directory Discovery, Exfiltration to Cloud Storage

References

  1. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  2. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.