February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
APT28 Propagates ‘GooseEgg’ Malware by Leveraging Windows Print Spooler Vulnerability – Active IOCs
April 23, 2024MeterPreter Malware – Active IOCs
April 23, 2024APT28 Propagates ‘GooseEgg’ Malware by Leveraging Windows Print Spooler Vulnerability – Active IOCs
April 23, 2024MeterPreter Malware – Active IOCs
April 23, 2024
Severity
High
Analysis Summary
ToddyCat, a threat actor, has been seen utilizing a variety of methods to get access to compromised systems and steal sensitive information.
According to cybersecurity researchers, the adversary uses several tools to gather data on an industrial scale from Asia-Pacific region state institutions, some of which are tied to defense. Threat actors need to automate the data harvesting process as much as possible to gather enormous volumes of data from numerous hosts. They also need some backup options for constantly accessing and monitoring the systems they target.
The researchers first discovered ToddyCat in June 2022, when they investigated a string of cyberattacks that began at least in December 2020 and were directed at military and governmental targets in Europe and Asia. Samurai, a passive backdoor that permits remote access to the compromised system, was utilized in these assaults.
Since then, more data exfiltration tools like LoFiSe and Pcexter to harvest data and transfer archive files to Microsoft OneDrive have been discovered through a closer inspection of the threat actor's tradecraft. The most recent series of malware consists of a variety of data collection and tunneling tools that are used once the attacker has gained access to privileged user accounts within the compromised system, including TomBerBil, WAExp, Cuthead, FRP client, SoftEther VPN, Reverse SSH tunnel using OpenSSH, Ngrok, and Krong.
The threat actors are aggressively trying to hide their presence in the system by circumventing countermeasures. It is recommended to include the resources and IP addresses of cloud services that offer traffic tunneling in the firewall deny list to safeguard the organization's infrastructure. Additionally, since password storage allows attackers to access private data, users should be forced to refrain from doing so.
Impact
- Sensitive Data Theft
- Cyber Espionage
- Security Bypass
- Credential Theft
Indicators of Compromise
IP
- 103.27.202.85
- 118.193.40.42
MD5
- 4a79a8b1f6978862ecfa71b55066aadd
- 9dc7237ac63d552270c5ca27960168c3
SHA-256
- ff7c79649da193cf16f5100a4b924b1e28ea684a5012a229ed65ca4900613bd7
- 370d3b2ac96306a83cc49f1c5929a0badbeb2459d966046d88bc38709fb0245f
SHA1
- 6a4a90a21061e3499e2cd61a16534924c7bab200
- c9eea274813603cb2686ac902383352384312319
URL
- http://www.netportal.or.kr/common/css/main.js
- http://www.netportal.or.kr/common/css/ham.js
- http://23.106.122.5/hamcore.se2
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Develop and regularly update an incident response plan to ensure a coordinated and efficient response in the event of a cyberattack.
- Implement robust email filtering solutions to detect and filter out phishing emails.
- Utilize anti-phishing tools that can identify and block suspicious email attachments.
- Keep software and operating systems up-to-date to address vulnerabilities that attackers may exploit.
- Segment your network to limit lateral movement for threat actors. Isolate sensitive systems from less critical ones.
- Implement the principle of least privilege (PoLP) to restrict user and system access to only what is necessary for their roles. This limits the potential impact of a breach.
- Deploy EDR solutions that can detect and respond to suspicious or malicious activities on endpoints, including DLL side-loading and other indicators of compromise.
- Maintain detailed logs of network and system activities. Continuously monitor for any anomalies or suspicious behavior.
- Employ intrusion detection and prevention systems (IDS/IPS) to identify and block malicious network traffic.
- Regularly analyze and update defenses against command-and-control (C2) infrastructure changes.
- Ensure strong access control policies and mechanisms are in place to restrict access to critical systems and data.
- Regularly back up critical data and systems, and store backups offline.
- Conduct regular security audits and assessments to identify and rectify vulnerabilities.
- Apply patches promptly to address known vulnerabilities and reduce the attack surface.