Researchers warn of renewed attacks against high-profile organizations launched by a Chinese APT actor known in the industry as ToddyCat. The group has been refining its tactics as well as malware toolset since 2020 when it was originally discovered.
In a new report this week, researchers from security firm Check Point Software Technologies documented a ToddyCat campaign they dubbed “Stayin’ Alive” that targeted organizations from Asian countries primarily from the telecom and government sectors.
“The Stayin’ Alive campaign consists of mostly downloaders and loaders, some of which are used as an initial infection vector against high-profile Asian organizations,” the Check Point researchers said. “The first downloader found called CurKeep, targeted Vietnam, Uzbekistan, and Kazakhstan. As we conducted our analysis, we realized that this campaign is part of a much wider campaign targeting the region.”
In a separate report this week, researchers from Kaspersky Lab also documented a new generation of malware loaders used by ToddyCat in recent attacks, including some that seem to be tailored for each victim. The Kaspersky researchers originally uncovered ToddyCat activities in late 2020 after the group targeted high-profile Asian and European organizations.
DLL side-loading a favored ToddyCat technique
One of ToddyCat’s favorite techniques of deploying malware on computers is through a technique called DLL side-loading. This involves finding a legitimate executable from an application that searches for a particular DLL file in the same directory and then replacing that DLL with a malicious one.
Because the originally executed file belongs to a legitimate application or service, it’s likely to be digitally signed and whitelisted in some security products. The attackers hope that the subsequent loading of a malicious DLL by a legitimate executable won’t be detected or blocked.
In the past ToddyCat exploited vulnerabilities in publicly exposed Microsoft Exchange servers, but it also delivers malware through spear-phishing emails that have malicious archives attached. These archives contain the legitimate executables together with the rogue side-loaded DLL.
According to Check Point, one application exploited in recent attacks is called Dante Discovery and is made by a company called Audinate. In a spear-phishing attack against a Vietnamese telecom company, the attackers sent an archive with Dante Discovery’s executable named to mDNSResponder.exe along with a malicious side-loaded DLL named dal_keepalives.dll that the software is looking for.
The rogue dal_keepalives.dll is a simple malware loader that’s used to set up persistence by copying the file combo to the Application Data folder and setting up a scheduled task called AppleNotifyService to keep executing it. The malware loader is used to execute a simple backdoor that Check Point calls “CurKeep.”
“The [CurKeep] main payload logic consists of three primary functionalities: report, shell, and file,” the researchers said. “Each of those is assigned to a different message type that is sent to the C&C server. When executed, the payload initially runs the report functionality, sending basic recon info to the C&C server. It then creates two separate threads that repeatedly run the shell and file functionalities.”
The shell functionality is used by the attackers to remote execute shell commands on the machine, and the file feature is to download files to disk that will then be executed.
Meanwhile, the Kaspersky researchers reported seeing similar side-loading tactics taking advantage of vlc.exe, a popular open-source video player, with a rogue accompanying file called playlist.dat, or malware loaders in the form of DLL files that are loaded directly with the rundll32.exe Windows utility.
The loaders seen by Kaspersky were used to load a trojan program dubbed Ninja that ToddyCat has used since 2020 and which the researchers describe as “sophisticated malware written in C++, probably part of an unknown post-exploitation toolkit.” The trojan program can enumerate and kill running processes, manage system files, open reverse shell sessions, inject code into arbitrary processes, load additional modules to extend functionality and set up a proxy for communication with the command-and-control server.
The malware loaders that Kaspersky found were different and used different persistent techniques involving registry keys and setting up system services. In fact, some variants of these loaders seemed tailored for victims using the computer GUID as an encryption key for their subsequent payloads.
Upon investigating the ToddyCat infrastructure, Check Point has detected additional loaders too. One they dubbed “CurLu Loader” and is deployed using a sideloaded DLL called bdch.dll. This loader was used to deploy a payload masquerading as an image file, which in turn leveraged DLL sideloading using mscoree.dll to deploy another backdoor dubbed “CurCore.”
Check Point has also discovered two other loaders dubbed “StylerServ” and “CurLog”, each using different deployment techniques. CurLog was distributed with lures both as an executable as well as sideloaded as a DLL while StylerServ appears to be a secondary loader that works as a passive listener and is deployed by an older variant of CurLu.
All in all, ToddyCat seems to use a variety of custom malware loaders and backdoors distributed in a multiple ways, but often through DLL side-loading.
Additional malicious ToddyCat tools
The Kaspersky researchers have also documented other tools that the group has used in its operations in addition to loaders, backdoors and the Ninja trojan. One of these is called “LoFiSe” and is a tool used to find and collect files of interest from infected systems.
“The name LoFiSe derived from the mutex name used by this tool (MicrosoftLocalFileService),” the researchers said. “The tool itself is a DLL file named DsNcDiag.dll that is launched using the DLL side-loading technique.”
Other tools include uploaders for DropBox and Microsoft OneDrive that are used to exfiltrate files, a passive UDP backdoor that receives commands over UDP packets and Cobalt Strike, a commercial penetration testing framework that has become popular with many hackers.
“The latest discoveries confirm that ToddyCat attacks its target to perform espionage activities,” the researchers said. “To achieve this goal, the attacker penetrates corporate networks using tools such as the loaders and trojans described above. Once it has gained a foothold, it starts to collect information about the hosts connected to the same network to find targets that might have files of interest. The group performs discovery activities, enumerating domain accounts and DC servers by leveraging standard operating system administration utilities.”
Once additional systems have been identified, the attackers use stolen domain admin credentials to mount network drives, execute scripts and set up scheduled tasks on the targeted systems with the goal of finding and exfiltrating documents.