The attacker known as ToddyCat has been observed employing new methods to access corporate email data belonging to targeted companies, including using a custom tool called TCSectorCopy.
“This attack allows the user’s browser to be used to obtain OAuth 2.0 authentication protocol tokens, which can be used to access corporate email outside the perimeter of the compromised infrastructure,” Kaspersky said in technical details.
ToddyCat is believed to have been active since 2020 and has a track record of targeting various organizations in Europe and Asia using various tools, Samurai and TomBerBil, to maintain access and steal cookies and credentials from web browsers such as Google Chrome and Microsoft Edge.
In early April of this year, the hacker group was blamed for exploiting a security flaw in ESET Command Line Scanner (CVE-2024-11859, CVSS score: 6.8) to distribute previously undocumented malware codenamed TCESB.
Kaspersky announced that it detected a PowerShell variant of TomBerBil (as opposed to previously flagged C++ and C# versions) with the ability to extract data from Mozilla Firefox in attacks that occurred between May and June 2024. A notable feature of this version is that it runs on a domain controller and allows privileged users to access browser files over shared network resources using the SMB protocol.
The company added that the malware was launched by a scheduled task that executed PowerShell commands. Specifically, it searches browser history, cookies, and credentials stored on remote hosts over SMB. The copied files containing the information are encrypted using the Windows Data Protection API (DPAPI), and TomBerBil has the ability to retrieve the encryption key needed to decrypt the data.
The researchers said, “An earlier version of TomBerBil ran on the host and copied the user token. As a result, DPAPI was used to decrypt the master key in the user’s current session and then the files themselves.” “In new server versions, TomBerBil copies files containing user encryption keys used by DPAPI. An attacker can use these keys and the user’s SID and password to locally decrypt all copied files.”
Threat actors have also been found to use TCSectorCopy (‘xCopy.exe’) to access corporate email stored in local Microsoft Outlook storage in the form of OST (Offline Storage Table) files, bypassing restrictions that restrict access to such files while applications are running.
Written in C++, TCSectorCopy takes as input the file to be copied (in this case an OST file), opens the disk as a read-only device, and copies the contents of the file sequentially, sector by sector. Once the OST file is written to a path chosen by the attacker, the contents of the electronic communication are extracted using XstReader, an open source viewer for Outlook OST and PST files.
Another tactic employed by ToddyCat involves efforts to retrieve access tokens directly from memory if the victim organization was using Microsoft 365 cloud services. JSON web tokens (JWTs) are obtained through an open source C# tool called SharpTokenFinder. This tool enumerates Microsoft 365 applications for plain text authentication tokens.
However, the attacker allegedly faced a setback in at least one incident under investigation after security software installed on the system blocked SharpTokenFinder’s attempt to dump the Outlook.exe process. To work around this limitation, operators used the ProcDump tool from the Sysinternals package with specific arguments to obtain a memory dump of the Outlook process.
“The ToddyCat APT group is constantly developing technology and is looking for techniques to hide activities that access corporate communications within compromised infrastructure,” Kaspersky said.
Source link
