ToddyCat — a relatively new Chinese-Speaking Advanced Persistent Threat, has been targeting and exploiting vulnerable Exchange Servers throughout Europe and Asia since December 2020 for targeting high-profile entities which is recently reported by Kaspersky.
In this article, we will discuss how ToddyCat exploits the Exchange Servers and the steps to protect your Exchange Servers and networks from such sophisticated malicious attacks. Also, we will discuss the detection methodologies for Toddycat attacks.
ToddyCat Attack Timeline:
The first wave of the attacks was observed between December 2020 and February 2021. At that time, the group targeted a small number of government organizations in Vietnam and Taiwan using an unknown exploit against the Exchange servers. The next wave of attacks was observed between February and May 2021 and started targeting organizations from a long list of countries, including Iran, Russia, India, and the U.K using ProxyLogon Vulnerability. In the next phase, which lasted until February 2022, the group targeted the same cluster of countries, along with more organizations from Uzbekistan, Kyrgyzstan, and Indonesia.
Technical Analysis:
Toddycat uses China Chopper, a 4 KB web shell, to get access to the Microsoft exchange server and download and execute another dropper. At least two custom pieces of malware, known as Samurai and Ninja, were used respectively. Samurai is referred to as a backdoor that was used in the first wave of attacks against Exchange servers for remote administration of compromised servers, as well as code execution. Samurai is sometimes used to install the Ninja malware as the next stage of the intrusion. “Based on the code logic, it appears that Ninja is a collaborative tool allowing multiple operators to work on the same machine simultaneously. It provides a large set of commands, which allow the attackers to control remote systems, avoid detection and penetrate deep inside a targeted network. Some capabilities are similar to those provided in other notorious post-exploitation toolkits,” the Kaspersky analysis says.
Infection Vector:
The attack sequence is initiated after the deployment of the China Chopper web shell attack sequence, which allows the dropper to execute and install the components and create multiple registry keys.
Stage one:
The dropper is capable of installing all the other components and creates multiple registry keys. It first decrypts an encrypted payload stored in another config file which contains multiple payload components that will be used in the next stage. The dropper has a custom API resolution function to load the APIs from the library. Also, it decrypts the config file using the CALG_3DES_112 algorithm with a static key embedded in its code.
Stage two:
The registry keys created by the dropper force the svchost.exe process to load a malicious library. The malicious library is merely a loader that attempts to get an encrypted payload from the registry and pass it as an argument to another DLL manually loaded during runtime.
Stage three:
The DLL is also a loader developed in C# that expects an encrypted payload as an input argument which later gets decrypted and executed for the next stage. The next stage payload is the final payload which is the Samurai backdoor.
Samurai Backdoor:
Samurai is an unknown backdoor that is developed in C# and uses the .NET HTTPListener class to receive and handle HTTP POST requests. To make it difficult to analyze the malware is obfuscated with an algorithm developed to increase the difficulty of reverse engineering. The capabilities of Samurai backdoor are executing remote commands, enumerating files, stealing files, and reverse proxy.
Ninja Trojan:
Ninja is a sophisticated malware developed in C++ which was dropped by Samurai backdoor in specific cases. This malware has the capability of taking full control of the device and spreading across the network. Here is the full list of capabilities of Ninja according to the Kaspersky report,
- Enumerate and manage running processes;
- Manage the file system;
- Start multiple reverse shell sessions;
- Inject code in arbitrary processes;
- Load additional modules (probably plugins) at runtime;
- Provide proxy functionalities to forward TCP packets between the C2 and a remote host.
Detection of Samurai Backdoor:
As Samurai is an obfuscated malware and the malicious payload is directly loaded by the legitimate svchosts.exe process it is not possible to detect with a simple process enumeration. To check the backdoor infection it is recommended by Kaspersky to execute the following command:
‘netsh http show servicestate verbose=yes’
This command displays a snapshot of the HTTP service and the suspicious URLs eg. HTTP://*:80/OWA/AUTH/TOKEN/ can be monitored through the output of this command.
Protection of Exchange Server from Toddycat or other malware attacks:
- MSERT Scan:
The Microsoft Safety Scanner or MSERT tool scans servers for any malware or web shells installed on your Windows Server environment and removes them from the system. The Microsoft safety scanner is available here
https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide. - Health Checker PowerShell Script:
Health checker scripts check the server’s health, detect vulnerabilities, and patch them. It is available on Microsoft’s official GitHub page.
https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/