"New ToddyCat APT targets MS Exchange servers in Europe, Asia"

Security researchers at Kaspersky have discovered a new advanced persistent threat (APT) targeting Microsoft’s Exchange servers in Europe and Asia.  Dubbed ToddyCat, the APT actor utilizes two formerly unknown tools Kaspersky called ‘Samurai backdoor’ and ‘Ninja Trojan,’ respectively.  The researchers stated that ToddyCat first started its activities in December 2020, compromising selected Exchange servers in Taiwan and Vietnam via an unknown exploit that ultimately led to the final execution of the passive backdoor Samurai.  The researchers stated that during the first period, between December 2020 and February 2021, the group targeted a very limited number of servers in Taiwan and Vietnam related to three organizations.  From February 26 until early March, the researchers observed a quick escalation and the attacker abusing the ProxyLogon vulnerability to compromise multiple organizations across Europe and Asia.  Telemetry collected by Kaspersky seems to hint that affected organizations, both governmental and military, show that ToddyCat is “focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests.”  The researchers noted that while the first wave of attacks exclusively targeted Microsoft Exchange Servers via the Samurai backdoor, some of these attacks witnessed the deployment of another sophisticated malicious program: Ninja.  The researchers stated that this tool is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.  Ninja appears to be a collaborative tool allowing multiple operators to work on the same machine simultaneously.  The researchers noted that Ninja provides a large set of commands, allowing attackers to control remote systems, avoid detection and penetrate deep inside a targeted network.  The researchers stated that some of them, akin to those provided in other notorious post-exploitation toolkits, include the ability to control the HTTP indicators and camouflage malicious traffic in HTTP requests.  The researchers noted that ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile.  

Infosecurity reports: "New ToddyCat APT targets MS Exchange servers in Europe, Asia"