Whereas ToddyCat has been energetic since no less than 2020, usually sticking to stealing browser cookies and credentials, this shift towards siphoning whole Outlook archives marks a major escalation in its playbook. The group beforehand focused high-profile organizations in Asia and Europe by hacking into internet-facing Microsoft Trade servers.
From browsers to area controllers
In incidents noticed between Might and June 2024, Kaspersky disclosed detecting a brand new model of the ToddyCat toolkit “TomBerBill,” written in PowerShell, working instantly from area controllers underneath privileged person accounts.
This replace expanded the scope of the assault from concentrating on Chrome and Edge to incorporate Firefox browser information. The script used a scheduled “run” process, created an area listing, after which reached out (over SMB) to hook up with user-host directories throughout the community. As soon as related, it copied browser recordsdata (cookies, saved credentials, historical past, and many others) for offline evaluation.
