ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Introducing Loda Malware

    February 10, 2020

    Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name ‘Loda’ is derived from a directory to which the malware author chose to write keylogger logs (Figure 14). It should be noted that some ...

  • Leaked Code from Docker Registries

    February 7, 2020

    The Unit 42 Cloud Threat Report: Spring 2020 focused on the practices of DevOps to determine where misconfigurations are happening in the cloud. Our research found a large number of DevOps services (e.g., SSH, Database, Code Repository) inadvertently exposed to the internet due to misconfigured infrastructure. This blog offers a detailed analysis of leaked code from Docker ...

  • Happy New Fear! Gift-wrapped spam and phishing

    February 7, 2020

    In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line. For example, one scam е-mail with the subject line “Xsmas gift” or ...

  • Researchers Use Smart Light Bulbs to Infiltrate Networks

    February 6, 2020

    Researchers successfully infiltrated networks through a vulnerability in Philips Hue light bulbs. The CVE-2020-6007 vulnerability, which involves the ZigBee communication protocol, can be abused to remotely install malicious firmware in smart light bulbs and spread malware to other internet-of-things (IoT) devices. To make the discovery, Check Point researchers built on earlier studies that showed how to control smart light bulbs. The new finding focused ...

  • Bouygues Construction falls victim to ransomware

    February 5, 2020

    Bouygues Construction has confirmed falling victim to ransomware that it detected across its network on January 30. “As a precautionary measure, information systems have been shut down to prevent any propagation,” the company said in a brief statement. “Our teams are currently fully focused on returning to normal as quickly as possible, with the support of experts. “Installations are ...

  • SORA and UNSTABLE: 2 Mirai Variants Target Video Surveillance Storage Systems

    February 5, 2020

    Trend Micro researchers encountered two variants of the notorious internet of things (IoT) malware, Mirai, employing a new propagation method. The two variants, namely SORA (detected as IoT.Linux.MIRAI.DLEU) and UNSTABLE (detected as IoT.Linux.MIRAI.DLEV), gain entry through Rasilient PixelStor5000 video surveillance storage systems by exploiting CVE-2020-6756. Mirai is a type of malware that actively searches for IoT devices with vulnerabilities, infects them, and turns ...