ToddyCat APT Targets Microsoft Exchange Servers to Deploy Samurai Backdoor and Ninja Trojan

Meet a novel player in the cyber threat arena! Starting from late 2020 security experts are tracking a new APT collective, dubbed ToddyCat, which was spotted targeting Microsoft Exchange servers in Europe and Asia to deploy custom malware samples. Among the malicious strains distributed by the ToddyCat are previously unknown Samurai backdoor and Ninja Trojan actively used to take full control over infected instances and move laterally across the network. 

Detect ToddyCat APT Attacking Microsoft Exchange Servers

In a view of the growing sophistication and scale of APT attacks, it is important to have detection content timely at hand to proactively defend against intrusions. Grab a Sigma rule below provided by our keen Threat Bounty developer Sittikorn Sangrattanapitak to identify the malicious activity associated with ToddyCat APT: 

Possible ToddyCat APT Group Targeted Europe and Asia Detection By Registry Change (via registry)

This detection rule is compatible with 16 market-leading SIEM, EDR & XDR solutions and aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic represented by the Modify Registry technique (T1112).

Enthusiastic to monetize your threat hunting and detection engineering skills? Join our Threat Bounty Program, develop your own Sigma rules, get them published in the SOC Prime platform, and receive recurrent rewards for your contribution.

Obtain the full list of Sigma, Snort, and Yara rules to detect malicious activities associated with advanced persistent threats (APTs) by hitting the Detect & Hunt button. Cyber defenders can also browse our Cyber Threats Search Engine to get relevant detections enhanced with a broad range of contextual information, including CTI links, MITRE ATT&CK references, and other metadata. Just press the Explore Threat Context Button to dive in!

Detect & Hunt Explore Threat Context

ToddyCat Attack Description

ToddyCAT APT first came into the spotlight in December 2020 when researchers from Kaspersky’s Global Research & Analysis Team (GReAT) identified a malicious campaign targeting Microsoft Exchange servers in Asia and Europe. According to Kaspersky inquiry, the novel APT gang leveraged ProxyLogon exploits to take control over unpatched servers and deploy custom malware, such as Samurai backdoor and Ninja Trojan. Experts note that both malware samples provide ToddyCat with the ability to take control over the affected instances and move laterally across the network. 

The campaign escalated over time, starting from a limited number of organizations in Vietnam and Taiwan at the end of 2020, up to multiple assets in russia, India, Iran, the United Kingdom, Indonesia, Uzbekistan, and Kyrgyzstan in 2021-2022. ToddyCat hackers mostly attacked high-profile orgs, including government institutions and military contractors. Moreover, starting from February 2022, APT affiliates expanded their list of targets with desktop systems besides the Microsoft Exchange servers. 

Interestingly, ToddyCat’s victims are linked to the industries and regions frequently attacked by Chinese hacking collectives. For instance, several ToddyCat targets were simultaneously breached by China-linked hackers leveraging FunnyDream backdoor. However, despite the observed overlaps, security researchers avoid linking ToddyCat APT with FunnyDream operators. 

Take advantage of prolific collaboration with the global cybersecurity community of 23,000+ SOC professionals by joining SOC Prime’s platform. Defend against emerging threats and increase the efficiency of your threat detection capabilities!