Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа ToddyCat
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
ToddyCat
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ToddyCat

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
ID: G1022
Associated Groups: 
Created: 03 Jan 2024
Last Modified: 14 Feb 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

ToddyCat has run `net user %USER% /dom` for account discovery.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ToddyCat has used Powershell scripts to perform post exploit collection.(Citation: Kaspersky ToddyCat Check Logs October 2023)
.003 Command and Scripting Interpreter: Windows Command Shell

ToddyCat has used .bat scripts and `cmd` for execution on compromised hosts.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Enterprise T1074 .002 Data Staged: Remote Data Staging

ToddyCat manually transferred collected files to an exfiltration host using xcopy.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

ToddyCat has used a DropBox uploader to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1564 .003 Hide Artifacts: Hidden Window

ToddyCat has hidden malicious scripts using `powershell.exe -windowstyle hidden`. (Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Prior to executing a backdoor ToddyCat has run `cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683` to allow the targeted system to receive UDP packets on port 49683.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ToddyCat has used the name `debug.exe` for malware components.(Citation: Kaspersky ToddyCat June 2022)
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

ToddyCat has executed `net group "domain admins" /dom` for discovery on compromised machines.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1566 .003 Phishing: Spearphishing via Service

ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.(Citation: Kaspersky ToddyCat June 2022)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

ToddyCat has used locally mounted network shares for lateral movement through targated environments.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

ToddyCat can determine is Kaspersky software is running on an endpoint by running `cmd /c wmic process where name="avp.exe"`.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

ToddyCat has used compromised domain admin credentials to mount local network shares.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Software
ID Name References Techniques
S1100 Ninja (Citation: Kaspersky ToddyCat June 2022) Encrypted/Encoded File, Non-Application Layer Protocol, Match Legitimate Name or Location, System Network Configuration Discovery, Spearphishing via Service, Malicious File, File and Directory Discovery, Native API, Symmetric Cryptography, Scheduled Transfer, DLL Side-Loading, System Information Discovery, Deobfuscate/Decode Files or Information, Data Obfuscation, Multi-hop Proxy, Environmental Keying, Internal Proxy, Rundll32, Process Injection, Windows Service, Process Discovery, Protocol or Service Impersonation, Web Protocols, Timestomp, Inter-Process Communication, Non-Standard Encoding
S0039 Net (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S1101 LoFiSe (Citation: Kaspersky ToddyCat Check Logs October 2023) Archive Collected Data, File and Directory Discovery, DLL Side-Loading, Local Data Staging, Data from Local System, Automated Collection
S0104 netstat (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: TechNet Netstat) System Network Connections Discovery
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Kaspersky ToddyCat June 2022) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Kaspersky ToddyCat Check Logs October 2023) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S1099 Samurai (Citation: Kaspersky ToddyCat June 2022) Ingress Tool Transfer, Non-Application Layer Protocol, Windows Service, Symmetric Cryptography, File and Directory Discovery, Modify Registry, Compile After Delivery, Standard Encoding, Query Registry, Match Legitimate Name or Location, Proxy, Windows Command Shell, Web Protocols, Dynamic API Resolution, Obfuscated Files or Information, Native API, Data from Local System, Software Discovery
S0097 Ping (Citation: Kaspersky ToddyCat Check Logs October 2023) (Citation: TechNet Ping) Remote System Discovery
S1102 Pcexter (Citation: Kaspersky ToddyCat Check Logs October 2023) File and Directory Discovery, Exfiltration to Cloud Storage, DLL Side-Loading, Data from Local System

References

  1. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  2. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.