Invisible as a cat: APT ToddyCat attacks Exchange servers in Europe and Asia


ToddyCat attacked Microsoft Exchange servers in Taiwan and Vietnam using the China Chopper web shell, gained remote access to the victims’ administrative networks and launched a multi-stage chain of infection. Other countries have also been subjected to such attacks: India, Indonesia, Iran, Malaysia, Pakistan, Russia, Slovakia, Uzbekistan, Thailand, Afghanistan and the United Kingdom.

According to ESET reports, in March 2021, ToddyCat exploited the ProxyLogon vulnerability to attack the email servers of government agencies across Asia and Europe. ProxyLogon is a Microsoft Exchange vulnerability, the use of which allows attackers to gain access to email servers.

More recently, Kaspersky Lab published its report on ToddyCat, which states that the first wave of attacks was directed exclusively at Microsoft Exchange servers, which hackers hacked using a sophisticated Samurai backdoor. The malware is written in C#, runs on ports 80 and 443 and uses several modules that allow remote control over the infected system, as well as providing lateral movement in the victim’s network. To deploy the backdoor, the attackers used the China Chopper web shell, with which they modified the Windows registry, and then launched the second and third stages.NET-dropper for launching Samurai.

Giampaolo Dedola, an information security specialist at Kaspersky Lab, called ToddyCat a group of experienced hackers using many methods to avoid detection. LC researchers are concerned about the group’s activities, as it targets the government and military sectors.

Start a discussion …