ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Wormable Apple iCloud Bug Allows Automatic Photo Theft

    October 9, 2020

    A group of ethical hackers cracked open Apple’s infrastructure and systems and, over the course of three months, discovered 55 vulnerabilities, a number of which would have given attackers complete control over customer and employee applications. Of note, a critical, wormable iCloud account takeover bug would allow attackers to automatically steal all of a victim’s documents, ...

  • Fitbit Spyware Steals Personal Data via Watch Face

    October 9, 2020

    A wide-open app-building API would allow an attacker to build a malicious application that could access Fitbit user data, and send it to any server. Kev Breen, director of cyber threat research for Immersive Labs, created a proof-of-concept for just that scenario, after realizing that Fitbit devices are loaded with sensitive personal data. “Essentially, ...

  • ZeroLogon: Ransomware gang now using critical Windows flaw in attacks

    October 9, 2020

    Microsoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoing attacks from cyber-espionage group MuddyWater (SeedWorm) in the second half of September. This time, the threat actor is TA505, an adversary who is indiscriminate about the victims it attacks, with ...

  • MontysThree: Industrial espionage with steganography and a Russian accent on both sides

    October 8, 2020

    In summer 2020 we uncovered a previously unknown multi-module C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. Initially the reason for our interest in this malware was its rarity, the obviously targeted nature of the campaign and the fact that there are no obvious similarities with already known campaigns at ...

  • HEH P2P Botnet Sports Dangerous Wiper Function

    October 8, 2020

    A freshly discovered botnet dubbed HEH by researchers is casting a wide net, looking to infect any and all devices that use Telnet on ports 23/2323. It’s particularly destructive: It contains code that wipes all data from infected systems. Perhaps ironically, its operators also have a penchant for civil advocacy – a loading of the Universal ...

  • PoetRAT Resurfaces in Attacks in Azerbaijan Amid Escalating Conflict

    October 8, 2020

    A new iteration of the PoetRAT spyware, sporting improvements to operational security, code efficiency and obfuscation, is making the rounds in Azerbaijan, targeting the public sector and other key organizations as the country’s conflict with Armenia over disputed territory intensifies. Threat intelligence researchers have observed multiple new strikes using the malware that show a “change in ...