Kaspersky continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, they examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods Kaspersky described previously are effectively detected by EPP and EDR solutions.
The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack and managed to remain undetected by monitoring systems.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Old-school cruel: Dodgy PDF email attachments enjoying a renaissance
April 19, 2019
The last few months have seen a big increase in malware attacks using PDF email attachments, according to security firm SonicWall. “Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said the outfit’s Bill Conner. There’s nothing new in this, of course, but many recent attacks ...
- Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection
April 17, 2019
Trend Micro discovered a potential targeted attack that makes use of legitimate script engine AutoHotkey, in combination with malicious script files. This file is distributed as an email attachment and disguised as a legitimate document with the filename “Military Financing.xlsm.” The user would need to enable macro for it to open fully, which would use ...
- Source code of Iranian cyber-espionage tools leaked on Telegram
April 17, 2019
In an incident reminiscent of the Shadow Brokers leak that exposed the NSA’s hacking tools, someone has now published similar hacking tools belonging to one of Iran’s elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten. The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless. The tools have been ...
- Pirates of Brazil: Integrating the Strengths of Russian and Chinese Hacking Communities
April 16, 2019
Each country’s hackers are unique, with their own codes of conduct, forums, motives and payment methods. Recorded Future’s Portuguese-speaking analysts, with a long-standing background in the Brazilian underground, have analyzed underground markets and forums tailored to the Brazilian Portuguese audience over the past decade and discovered a number of particularities in content hosted on forums, ...
- Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change
April 16, 2019
After the HawkEye malware kit underwent an ownership change and new development, researchers are spotting the keylogger used in several malicious email campaigns. The HawkEye malware kit and information-stealer has been spotted in a newfound slew of campaigns after a recent ownership change. While the keylogger has been in continuous development since 2013, in December a thread ...
- Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered
April 16, 2019
A new powerful rootkit-enabled spyware operation has been discovered wherein hackers are distributing multifunctional malware disguised as cracked software or trojanized app posing as legitimate software like video players, drivers and even anti-virus products. While the rootkit malware—dubbed Scranos—which was first discovered late last year, still appears to be a work in progress, it is continuously evolving, ...

