ToddyCat: your hidden email assistant. Part 2


Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.

The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.

Read more…
Source: Kaspersky


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • New JhoneRAT Malware Targets Middle East

    January 17, 2020

    Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads. Evidence shows that the attackers behind JhoneRAT ...

  • Microsoft Releases Advisory on Zero-Day Vulnerability CVE-2020-0674, Workaround Provided

    January 17, 2020

    On January 17, Microsoft published an advisory (ADV200001) warning users about CVE-2020-0674, a remote code execution (RCE) vulnerability involving Microsoft’s Internet Explorer (IE) web browser. A patch has not yet been released as of the time of writing — however, Microsoft has acknowledged that it is aware of limited targeted attacks exploiting the flaw. All ...

  • Mobile Banking Trojan FakeToken Resurfaces, Sends Offensive Messages Overseas from Victims’ Accounts

    January 16, 2020

    Researchers recently discovered an updated version of mobile banking trojan FakeToken after detecting around 5,000 smartphones sending offensive text messages overseas. They noted the unusual development this malware has taken, compared to its previously reported update that disguised itself as a ride-hailing app capable of stealing personally identifiable information (PII) as well as its expanded ransomware capabilities. However, ...

  • Cyber-security breaches at 67 percent of healthcare organisations last year

    January 16, 2020

    A survey has found that a large portion of healthcare organisations in the UK experienced cyber-security incidents last year, which were mostly due to employees sharing data. According to new research, in the last 12 months, 67 percent of healthcare organisations in the UK suffered a cyber-security incident. The data was compiled by Clearswift, which surveyed senior business decision makers ...

  • Satan Ransomware Reborn to Torment Businesses

    January 16, 2020

    A ransomware with the un-snappy moniker of “5ss5c” has emerged on the scene and appears to be in active development. According to independent researcher Bart Blaze, the malware is the successor to the Satan ransomware, and its authors are still experimenting with focused targeting (China, for now) and features. Blaze said in a blog posted Tuesday that 5ss5c and ...

  • Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe

    January 11, 2020

    Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Although it’s clearly based on the same code and shares most of its features with its predecessors, the campaign that it’s been part of differs significantly from campaigns involving the previous versions of this malware. Vega samples were first ...