Recent cybersecurity reports emphasize that the ToddyCat group has greatly bolstered its functional capacity. They’ve released new variants of their malware, such as a PowerShell variant of TomBerBil. This malware removes sensitive data from all web browsers. Publications have already warned on how attackers are exploiting it against organizations all over Europe and Asia.
The ToddyCat cohort engaging and serving the community since 2020. They use cutting-edge tools such as Samurai and TomBerBil to maintain remote access to compromised systems. The PowerShell version of TomBerBil is especially good for pulling data from the Mozilla Firefox web browser. It can run from a privileged user level on domain controllers. For one thing, they have changed and expanded their tactics dramatically. Now, they can take advantage of shared network resources over the SMB protocol to find copies of browser files.
Technical Features of TomBerBil
TomBerBil can be used with several programming languages such as C++, C#, and others. Its versatility makes it an extremely effective weapon by enabling it to easily target an incredibly broad range of systems. Also known as QrlGithub, this malware is especially good at stealing cookies and credentials. It hits other popular web browsers, most notably Google Chrome and Microsoft Edge.
Kaspersky, a prominent cybersecurity company TomBerBil as only one of many tools in ToddyCat’s suite, and ToddyCat is not alone. The operation was made possible due to a vulnerability in the ESET Command Line Scanner that they discovered and dubbed CVE-2024-11859. This vulnerability has a CVSS score of 6.8. This exploitation provided ToddyCat the opportunity to deploy previously undocumented malware codenamed TCESB.
“The ToddyCat APT group is constantly developing its techniques and looking for those that would hide activity to gain access to corporate correspondence within the compromised infrastructure,” – Kaspersky
Recent Activities and Malware Utilization
Besides TomBerBil, ToddyCat employs another malware variant called TCSectorCopy. This tool is written in C++, which makes detection by antivirus tools even more difficult, and works by copying files sector by sector. The coalition has proven that they can pull off complicated “surprise!” tactical moves. They use SharpTokenFinder to try and dump the Outlook.exe process. Based on at least one such documented incident, security software appears to have been successful in blocking SharpTokenFinder’s access.
Kaspersky recorded attacks with TomBerBil between May and June 2024. This sinister discovery underscores the persistent danger that this group still presents. ToddyCat can get token using OAuth 2.0 authorization protocol by end-user browsers. This capability massively escalates their threat level. These types of tokens can be used outside the stolen infrastructure to log into corporate mail systems without authorization.
“This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user’s browser, which can be used outside the perimeter of the compromised infrastructure to access corporate mail,” – Kaspersky
Implications for Organizations
Increasingly sophisticated cyber threats from malicious organizations such as ToddyCat are becoming more frequent. Non-profits working on social-good issues in Europe and Asia should be on alert to defend themselves. The ability of this group to adapt their techniques and utilize multiple malware variants places a significant burden on cybersecurity defenses.
Agencies need to protect their systems so hackers can’t get in, and dial up their detection of hacker activity, constantly looking for suspicious behavior. Cyber threats are always changing and developing. In order to successfully mitigate risks posed by advanced persistent threats such as ToddyCat, it’s imperative to keep abreast of new tactics and tools.