ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Thailand: House of Representatives’ Website Hacked, Cyber Attack Investigation Underway

    October 16, 2023

    The House of Representatives’ website fell victim to a cyber attack on Sunday, October 15, 2023. The hackers, who go by the name 3MUSKETEERZ, managed to breach the website’s security and display a picture of a troll in the photo journal section. Additionally, the perpetrators altered the press releases and committee schedules featured on the site. ...

  • Understanding DNS Tunneling Traffic in the Wild

    October 13, 2023

    Palo Alto Unit 42 researchers present a study on why and how domain name system (DNS) tunneling techniques are used in the wild. Motivated by their findings, they present a system to automatically attribute tunneling domains to tools and campaigns. Attackers adopt DNS tunneling techniques to bypass security policies in enterprise networks because most enterprises ...

  • curl SOCKS5 heap overflow vulnerability

    October 13, 2023

    Client URL, or curl, and its library version libcurl are one of the most popular and integrated command line tools for data transfer. They support a wide range of protocols such as HTTP, HTTPS, SMTP and FTP and enable the user to make requests to a URL while handling all standard components of requests such ...

  • Cyber attack targets Medical Aid for Palestinians’ website amid Israel-Hamas conflict

    October 13, 2023

    In the midst of the ongoing conflict between Israel and Hamas, the Medical Aid for Palestinians organisation has reported a cyber attack on their website, which has disrupted their relief efforts for Gaza. They have also issued a warning that their website may go offline due to these disruptions. Taking to X (formerly Twitter), they posted ...

  • Update now! Atlassian Confluence vulnerability is being actively exploited

    October 12, 2023

    Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. At the time the attacks were first observed the vulnerability was a zero-day, meaning that no update was available, so defenders had “zero days” to patch the flaw. The vulnerability has since ...

  • Akira ransomware overview

    October 12, 2023

    Akira is a relatively new ransomware variant with Windows and Linux versions that came out in April 2023. Like many attackers, the gang behind this variant only uses the ransomware to encrypt files after first breaking into a network and stealing data. This group also employs a double extortion tactic, demanding a ransom from victims ...