The menace actor often called ToddyCat has been noticed adopting new strategies to acquire entry to company e-mail information belonging to focus on firms, together with utilizing a customized instrument dubbed TCSectorCopy.
“This assault permits them to acquire tokens for the OAuth 2.0 authorization protocol utilizing the person’s browser, which can be utilized outdoors the perimeter of the compromised infrastructure to entry company mail,” Kaspersky stated in a technical breakdown.
ToddyCat, assessed to be lively since 2020, has a observe file of focusing on numerous organizations in Europe and Asia with numerous instruments, Samurai and TomBerBil to retain entry and steal cookies and credentials from net browsers like Google Chrome and Microsoft Edge.
Earlier this April, the hacking group was attributed to the exploitation of a security flaw in ESET Command Line Scanner (CVE-2024-11859, CVSS rating: 6.8) to ship a beforehand undocumented malware codenamed TCESB.
Kaspersky stated it detected a PowerShell variant of TomBerBil (versus C++ and C# variations flagged earlier than) in assaults that happened between Could and June 2024, which comes with capabilities to extract information from Mozilla Firefox. A notable characteristic of this model is that it runs on area controllers from a privileged person and might entry browser recordsdata through shared community sources utilizing the SMB protocol.
The malware, the corporate added, was launched via a scheduled job that executed a PowerShell command. Particularly, it searches for browser historical past, cookies, and saved credentials within the distant host over SMB. Whereas the copied recordsdata containing the data are encrypted utilizing the Home windows Data Safety API (DPAPI), TomBerBil is provided to seize the encryption key essential to decrypt the information.
“The earlier model of TomBerBil ran on the host and copied the person token. Consequently, DPAPI was used to decrypt the grasp key within the person’s present session, and subsequently the recordsdata themselves,” researchers stated. “Within the newer server model, TomBerBil copies recordsdata containing person encryption keys which are utilized by DPAPI. Utilizing these keys, in addition to the person’s SID and password, attackers can decrypt all copied recordsdata domestically.”
The menace actors have additionally been discovered to entry company emails saved in native Microsoft Outlook storage within the type of OST (quick for Offline Storage Desk) recordsdata utilizing TCSectorCopy (“xCopy.exe”), bypassing restrictions that restrict entry to such recordsdata when the applying is working.
Written in C++, TCSectorCopy accepts as enter a file to be copied (on this case, OST recordsdata) after which proceeds to open the disk as a read-only gadget and sequentially copy the file contents sector by sector. As soon as the OST recordsdata are written to a path of the attacker’s selecting, the contents of the digital correspondence are extracted utilizing XstReader, an open-source viewer for Outlook OST and PST recordsdata.
One other tactic adopted by ToddyCat entails efforts to acquire entry tokens straight from reminiscence in circumstances the place sufferer organizations used the Microsoft 365 cloud service. The JSON net tokens (JWTs) are obtained by an open-source C# instrument named SharpTokenFinder, which enumerates Microsoft 365 purposes for plain textual content authentication tokens.
However the menace actor is claimed to have confronted a setback in no less than one investigated incident after security software program put in on the system blocked SharpTokenFinder’s try and dump the Outlook.exe course of. To get round this restriction, the operator used the ProcDump instrument from the Sysinternals bundle with particular arguments to take a reminiscence dump of the Outlook course of.
“The ToddyCat APT group is consistently creating its methods and searching for those who would cover exercise to realize entry to company correspondence throughout the compromised infrastructure,” Kaspersky stated.
