Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.
The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Mispadu Banking Trojan Resurfaces
September 22, 2020
Recent spam campaigns leading to URSA/Mispadu banking trojan (detected by Trend Micro as TrojanSpy.Win32.MISPADU.THIADBO) have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages. It is ...
- Healthcare lags behind in critical vulnerability management, banks hold their ground
September 22, 2020
Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area? The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies — including banks, industrial giants, and medical facilities — can be far more ...
- CISA warns of notable increase in LokiBot malware
September 22, 2020
The US government’s cyber-security agency has issued a security advisory today warning federal agencies and the private sector about “a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020.” The Cybersecurity and Infrastructure Security Agency (CISA) said that its in-house security platform (the EINSTEIN Intrusion Detection System) has detected persistent ...
- Russian hackers use fake NATO training docs to breach govt networks
September 22, 2020
A Russian hacker group known by names, APT28, Fancy Bear, Sofacy, Sednit, and STRONTIUM, is behind a targeted attack campaign aimed at government bodies. The group delivered a hard-to-detect strand of Zebrocy Delphi malware under the pretense of providing NATO training materials. Researchers further inspected the files containing the payload and discovered these impersonated JPG files showing ...
- Fileless Malware Tops Critical Endpoint Threats for 1H 2020
September 21, 2020
In the first half of 2020, the most common critical-severity cybersecurity threat to endpoints was fileless malware, according to a recent analysis of telemetry data from Cisco. Fileless threats consist of malicious code that runs in memory after initial infection, instead of files being stored on the hard drive. Cisco flagged threats like Kovter, Poweliks, Divergent ...
- Member of ‘The Dark Overlord’ hacking group sentenced to five years in prison
September 21, 2020
A UK national pleaded guilty today to extorting tens of companies across the world as a member of an infamous hacking group known as The Dark Overlord (TDO). Nathan Francis Wyatt, 39, was sentenced to five years in prison and ordered to pay $1,467,048 in restitution to victims. According to court documents, Wyatt was part of the ...

