Cybersecurity researchers detail the activities of early access brokers (IABs) called Toymakers, who have observed handing over access to terr ransomware gangs like cactus.
The IAB is evaluated with moderate confidence to become a financially motivated threat actor, scans vulnerable systems and deploys custom malware called Lagtoy (aka Holerun).
“The lag toy can be used to create reverse shells and execute commands on infected endpoints,” said Ciskotaros researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vuitton Ventura and Brandon White.
The malware was first documented by Google-owned Mandiant in late March 2023, and its use stems from threat actors tracked as UNC961. Activity clusters are also known by other names such as Gold Melodies and the Prophet Spider.
Threat actors have been observed to gain initial access by leveraging a massive arsenal of known security flaws in applications aimed at the Internet, and then underwent reconnaissance, qualification harvesting and lag toy deployment within a week.
The attacker also opens an SSH connection to a remote host and downloads a forensic tool called Magnet RAM capture to get a memory dump of a machine that may attempt to collect the victim’s qualifications.
Lagtoy is designed to contact a hardcoded command and control (C2) server to retrieve commands for subsequent executions at the endpoint. This can be used for each Mandiant to create processes and run commands under the specified user with corresponding privileges.
The malware is equipped to handle three commands from the C2 server.
“After about three weeks of activity lull, we observed that the Cactus Ransomware Group would use credentials stolen by toymers to enter the victims’ companies,” Talos said.
“Based on the relatively short residence times, lack of data theft and subsequent handover to cactus, it is unlikely that Toymaker had any spy motivating ambitions or goals.”
In the incident analyzed by TALOS, Cactus Ransomware affiliates are said to have carried out their own reconnaissance and sustained activities prior to data delamination and encryption. We also observe several ways to configure long-term access using OpenSSH, AnyDesk, and Ehorus agents.
“Toymaker is a financially motivated early access broker (IAB) that gains access to high-value organizations and forwards access to secondary threat actors who monetize normal access through dual tor and ransomware deployments,” the company says.
Source link
