ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Cook EBITDA slumps £2m following Christmas 2021 cyber-attack

    January 4, 2023

    A cyber-attack in December 2021 wiped an estimated £2m from Cook’s EBITDA, according to its latest financial results. The attack ground manufacturing systems at its Sittingbourne site to a halt and prevented Cook from making and delivering food. Consequently, the business was forced to shut down its website in the lead-up to Christmas, its busiest period of ...

  • Hackers abuse Windows error reporting tool to deploy malware

    January 4, 2023

    Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system’s memory using a DLL sideloading technique. The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable. The new campaign ...

  • Rackspace confirms Play ransomware was behind recent cyberattack

    January 4, 2023

    Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company’s hosted Microsoft Exchange environments. This follows a report last month by cybersecurity firm Crowdstrike, which detailed a new exploit used by the ransomware group to compromise Microsoft Exchange servers and gain access to a ...

  • Cyber attack leaves six North Carolina counties locked out of their online records

    December 30, 2022

    They’re responsible for keeping and protecting your most important records, but Thursday, a company that works with local governments across North Carolina has been paralyzed by a cyber attack with no end in sight. Cott Systems said they work with 300 local offices in 21 states, but right now that work is on hold and local ...

  • LockBit ransomware claims attack on Port of Lisbon in Portugal

    December 30, 2022

    A cyberattack hitting the Port of Lisbon Administration (APL), the third-largest port in Portugal, on Christmas day, has been claimed by the LockBit ransomware gang. The Port of Lisbon is part of the critical infrastructure in Portugal’s capital city, being one of the most accessed ports in Europe, due to its strategic location, and serving container ...

  • Canadian mining firm shuts down mill after ransomware attack

    December 30, 2022

    The Canadian Copper Mountain Mining Corporation (CMMC) in British Columbia has announced that it was the target of a ransomware attack that impacted its operations. CMMC, partly owned by Mitsubishi Materials Corporation, is an 18,000-acre claim that produces an average of 100 million pounds of copper per year and has an estimated mineral reserve capacity for ...