| Category | Details |
|---|---|
| Threat Actors | ToddyCat (APT group) |
| Campaign Overview | Attackers target governmental organizations, some defense-related, in the Asia-Pacific region to steal sensitive data. |
| Target Regions (Victims) | Asia-Pacific region, primarily governmental and defense organizations. |
| Methodology | Attackers maintain access using traffic tunneling techniques such as Reverse SSH Tunnel, SoftEther VPN, Ngrok, and FRP client. |
| Product Targeted | Governmental and defense-related organizations’ systems. |
| Malware Reference | LoFiSe, PcExter, PsExec, Impacket, SoftEther VPN, Ngrok, Krong, FRP client |
| Tools Used | PsExec, Impacket, OpenSSH for Windows, SoftEther VPN, Ngrok, Krong, FRP, curl, SMB, Task Scheduler, Command Prompt |
| Vulnerabilities Exploited | SMB/Windows Admin Shares (T1021.002), DLL Side-Loading (T1574.002), remote execution, tunneling techniques. |
| TTPs | Use of tunneling tools for persistent access, exfiltration of data, use of legitimate cloud infrastructure (Ngrok), and DLL side-loading (Krong). |
| Attribution | No direct attribution provided, but the APT group is called ToddyCat. |
| Recommendations | Secure SMB shares, detect and block tunneling activities, monitor for unusual scheduled tasks and command-line activity. |
| Source | Securelist by Kaspersky |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply