ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage

    January 11, 2021

    When hostile actors penetrated the Capitol Building on January 6, they gained access to individual chambers and offices and remained at large within the Capitol complex for well over two hours. We have reports that items were stolen. One report comes from acting US Attorney for DC, Michael Sherwin, who stated “items, electronic items were stolen ...

  • Malicious Shell Script Steals AWS, Docker Credentials

    January 8, 2021

    We recently spotted new attacks where, again, threat actors used shell scripts to perform their malicious activities. Based on previous attacks, these malicious scripts were typically used to deploy cryptocurrency miners. But recent cases involving these fresh samples highlighted how the scripts are developed, as they now serve other purposes besides being downloaders for cryptominers. Based ...

  • Investigation launched into vulnerabilities found within US Judiciary case file system

    January 8, 2021

    The United States Judiciary has announced an audit into its systems, following concerns its case file system has been compromised. In making the announcement, the Judiciary said the Administrative Office of the US Courts was working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files ...

  • Nissan NA source code leaked due to default admin:admin credentials

    January 8, 2021

    Multiple code repositories from Nissan North America became public this week after the company left an exposed Git server protected with default access credentials. The entire collection is around 20 gigabytes large and contains source code for mobile apps and various tools used by Nissan internally for diagnostics, client acquisition, market research, or NissanConnect services. It is ...

  • Nvidia releases security update for high-severity graphics driver vulnerabilities

    January 8, 2021

    Nvidia has released a round of security fixes tackling high-severity issues in the Nvidia GPU display driver and vGPU software. Released on Thursday, the technology giant said the patches deal with issues that “may lead to denial of service, escalation of privileges, data tampering, or information disclosure.” In total, Nvidia has resolved 16 vulnerabilities linked to the ...

  • Adversary Infrastructure Report 2020: A Defender’s View

    January 8, 2021

    Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware frameworks, and open-source remote access trojans. The effort has been ongoing since 2017, when Insikt Group created methodologies to identify the deployments of open-source remote access trojans (RATs). Recorded Future collected over 10,000 unique command and control ...