Getty Images/iStockphoto

Kaspersky unveils unknown APT actor 'ToddyCat'

The origin of 'ToddyCat' is unknown. However, Kaspersky said the APT actor carries similarities with a number of Chinese-speaking threat groups.

Kaspersky shared research Tuesday presenting an advanced persistent threat actor -- designated "ToddyCat" -- of currently unknown origin.

Antivirus vendor Kaspersky tracked the APT actor's activities back to December 2020; in the time since, ToddyCat has attacked high-profile targets across European and Asian countries, including Taiwan, Vietnam, India, Russia, the United Kingdom, Iran and more. According to report author Giampaolo Dedola, a Kaspersky senior security researcher, ToddyCat's targets include government organizations as well as military entities and contractors.

The actor's initial activities from December 2020 to February 2021 consisted of compromising targeted Microsoft Exchange servers in Taiwan and Vietnam while using "an unknown exploit that led to the creation of a well-known China Chopper web shell." This web shell was then used for a "multi-stage infection chain."

Dedola noted that ToddyCat quickly escalated its activities from late February until early March, and exploited the now-infamous ProxyLogon vulnerability to attack more organizations across Europe and Asia. The report hypothesized that the unknown December exploit might also have been ProxyLogon.

Aspects of ToddyCat's process changed over time, such as the actor's expansion from solely Exchange servers to desktop attacks as well. But overall, Dedola said, ToddyCat "has continued its intense activity" since the initial escalation in March 2021.

Complete technical details of the threat actor's process are available in Kaspersky's report.

Though APTs are typically known for being sponsored by a nation-state of some kind, the report declined to attribute ToddyCat to one particular source. However, Dedola noted that there were parallels between ToddyCat and a number of Chinese-speaking threat groups.

"During our investigations we noticed that ToddyCat victims are related to countries and sectors usually targeted by multiple Chinese-speaking groups," he wrote. "In fact, we observed three different high-profile organizations compromised during a similar time frame by ToddyCat and another Chinese-speaking APT group that used the FunnyDream backdoor."

While there was overlap, Kaspersky was not confident enough to merge the two APTs together.

"Considering the high-profile nature of all the victims we discovered, it is likely they were of interest to several APT groups," Dedola said in the report. "Moreover, despite the occasional proximity in staging locations, we have no concrete evidence of the two malware families directly interacting."

Dedola told SearchSecurity that the lack of strong evidence such as code and network overlaps between ToddyCat and other threat actors prevented a confident attribution. In addition, he said, the attribution of any internet-based cyber attack is difficult.

"Usually, the actors behind the malware try to complicate their origin by wiping out all information that could help researchers or law enforcement agencies to identify and track them," Dedola said. "Sometimes they even put false flags in order to point investigators in the wrong direction. Occasionally, they make mistakes and leave artifacts that can hint at the language the attackers speak, but such situations are the exception rather than the rule.

"That is why we at Kaspersky don't speculate about attribution and can't say with certainty what particular country is behind this or that attack."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities