The sophisticated threat actor known as ToddyCat has been observed employing new and evolving tactics to pilfer corporate email data, notably through the use of a custom-built tool named TCSectorCopy. This innovative approach allows attackers to bypass traditional security measures and directly access sensitive communications within targeted organizations.
According to cybersecurity researchers at Kaspersky, ToddyCat’s latest methods involve acquiring OAuth 2.0 authorization tokens directly from a user’s browser. These tokens can then be exploited outside the compromised network perimeter to gain unauthorized access to corporate email systems. The group, believed to be operational since 2020, has consistently targeted entities in Europe and Asia, leveraging tools like Samurai and TomBerBil to maintain persistence and exfiltrate browser credentials.
ToddyCat’s Evolving Arsenal and Tactics
ToddyCat’s operational sophistication continues to grow, as evidenced by their recent exploitation of a vulnerability in ESET Command Line Scanner (CVE-2024-11859). This allowed for the deployment of a previously unknown malware strain, codenamed TCESB. The group demonstrates a persistent drive to refine their attack vectors, ensuring a continuous threat to corporate data security.
A significant development in their methodology involves a PowerShell variant of their TomBerBil malware. Detected in attacks between May and June 2024, this version boasts enhanced capabilities for data extraction from Mozilla Firefox. Notably, it can operate from domain controllers by a privileged user, accessing browser files across network shares via the SMB protocol. This shift represents a move towards more privileged and pervasive access within target environments.
Kaspersky researchers detailed how this new TomBerBil variant operates. It is initiated through a scheduled task that executes a PowerShell command designed to locate and retrieve browser history, cookies, and stored credentials from remote hosts over SMB protocol. While the exfiltrated data is encrypted using the Windows Data Protection API (DPAPI), TomBerBil is equipped with the means to capture the necessary encryption keys.
Previously, TomBerBil would run on the compromised host and copy user tokens. This allowed DPAPI to decrypt keys within the user’s active session for accessing files. In contrast, the newer server-side version copies files containing user encryption keys used by DPAPI. Attackers can then use these keys, along with the user’s SID and password, to decrypt all copied files locally, offering a more robust method for data exfiltration.
Accessing Outlook OST Files with TCSectorCopy
Another key innovation observed in ToddyCat’s operations is the use of TCSectorCopy, also referred to as “xCopy.exe,” to access corporate emails stored in local Microsoft Outlook Offline Storage Table (OST) files. This tool allows attackers to bypass restrictions that usually prevent access to these files when Outlook is running.
TCSectorCopy, developed in C++, is designed to open a disk unit in read-only mode and sequentially copy the contents of specified files, such as OST files, sector by sector. Once these OST files are transferred to an attacker-controlled location, they can be processed using XstReader, an open-source tool for viewing Outlook OST and PST files, thereby enabling the extraction of electronic correspondence.
Bypassing Microsoft 365 Security Measures
In instances where victim organizations utilize Microsoft 365 cloud services, ToddyCat has been observed attempting to directly extract access tokens from memory. This is achieved using an open-source C# tool named SharpTokenFinder, which scans Microsoft 365 applications for plaintext authentication tokens, commonly known as JSON web tokens (JWTs).
However, this particular tactic faced a significant hurdle in at least one investigated incident. Security software on the system effectively blocked SharpTokenFinder’s attempt to dump the Outlook.exe process. To overcome this obstruction, the threat actor resorted to employing the ProcDump tool from the Sysinternals suite, utilizing specific arguments to create a memory dump of the Outlook process.
The ongoing evolution of ToddyCat’s techniques underscores the dynamic nature of cyber threats. As Kaspersky noted, the ToddyCat APT group consistently refines its methods, actively seeking ways to obscure their activities and gain deeper access to corporate communications within compromised infrastructures. Organizations must remain vigilant and proactive in their defense strategies to counter these advanced persistent threats.