Analysis Summary

ToyMaker, an initial access broker (IAB), has been actively selling access to ransomware groups like CACTUS, helping them carry out double extortion attacks. According to cybersecurity researchers, ToyMaker appears to be a financially motivated actor. They scan for vulnerable systems online and use custom malware known as LAGTOY (also called HOLERUN) to infect devices and establish control.

LAGTOY allows attackers to create reverse shells and execute various commands remotely on compromised machines. After gaining access, the malware contacts a hard-coded command-and-control (C2) server to receive and execute instructions.

ToyMaker exploit known vulnerabilities in internet-facing applications to breach organizations quickly. Within just a week, they perform reconnaissance, harvest credentials, and deploy LAGTOY to maintain access.

In a recent incident, after a short inactive period, the CACTUS ransomware gang used credentials stolen by ToyMaker to attack a victim organization.ToyMaker’s main goal appears to be selling access for profit. After gaining a foothold, CACTUS actors conduct their own surveillance, set up persistence using tools like OpenSSH, AnyDesk, and eHorus Agent, and then move to encrypt and exfiltrate data.

Impact

• Data Exfiltration
• Financial Loss
• Gain Access

Indicators of Compromise

SHA1

• 4470bf3b9b59859c901608c41e5de2c077b3b092

• 144461b7606d81c07d41465ffcad17bd5cdf533d

URL

• https://ms-prod19-live.com/rehjhj8785780923853/abc
• https://ms-prod19-live.com/rehjhj8785780923853/cdef

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.