Security News > 2022 > June > Elusive ToddyCat APT Targets Microsoft Exchange Servers

An advanced persistent threat group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe.

"The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443," wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT. Researchers said ToddyCat a is relatively new APT and there is "Little information about this actor."

The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim's hardware and network.

The researchers observed the attributes linked to the same group which targets the previously mentioned countries as well as the military and government organizations based in Indonesia, Uzbekistan and Kyrgyzstan.

The attack surface in the third wave is expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.

"This overlap caught our attention, since the ToddyCat malware cluster is rarely seen as per our telemetry; and we observed the same targets compromised by both APTs in three different countries. Moreover, in all the cases there was a proximity in the staging locations and in one case they used the same directory," researchers wrote.

News URL

https://threatpost.com/elusive-toddycat-apt-targets-microsoft-exchange-servers/180031/