ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • EKANS Ransomware and ICS Operations

    February 3, 2020

    EKANS ransomware emerged in mid-December 2019, and Dragos published a private report to Dragos WorldView Threat Intelligence customers early January 2020. While relatively straightforward as a ransomware sample in terms of encrypting files and displaying a ransom note, EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS ...

  • Threat Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations

    February 3, 2020

    On September 10, 2019, we observed unknown threat actors exploiting a vulnerability in SharePoint described in CVE-2019-0604 to install several webshells on the website of a Middle East government organization. One of these webshells is the open source AntSword webshell freely available on Github, which is remarkably similar to the infamous China Chopper webshell. On January 10, 2020, we ...

  • Matters of Life and Death: Cyber Security and Medical Devices

    February 3, 2020

    Concerns about the vulnerabilities of medical devices to cyber attacks are spurring a new focus on the need to protect patient safety, data and hospital systems It’s a scenario right out of a Hollywood blockbuster. Without a word of warning, medical devices regulating everything from heartbeat to insulin levels across a hospital system begin behaving erratically ...

  • Hackers are hijacking smart building access systems to launch DDoS attacks

    February 2, 2020

    Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall. The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control (NSC). Linear eMerge E3 devices fall in the hardware category of “access control systems.” They are ...

  • Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

    January 31, 2020

    Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using ...

  • Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan

    January 31, 2020

    Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. 2019-nCoV, which is believed to have originated in Wuhan, China, in the past month, has caused hundreds of deaths and thousands of confirmed cases in China alone. The virus has already spread to ...