G1022 ToddyCat

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.¹²

Item	Value
ID	G1022
Associated Names
Version	1.0
Created	03 January 2024
Last Modified	14 February 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1087	Account Discovery	-
enterprise	T1087.002	Domain Account	ToddyCat has run `net user %USER% /dom` for account discovery.²

enterprise	T1560	Archive Collected Data	-
enterprise	T1560.001	Archive via Utility	ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.²
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	ToddyCat has used Powershell scripts to perform post exploit collection.²
enterprise	T1059.003	Windows Command Shell	ToddyCat has used .bat scripts and `cmd` for execution on compromised hosts.²
enterprise	T1005	Data from Local System	ToddyCat has run scripts to collect documents from targeted hosts.²
enterprise	T1074	Data Staged	-
enterprise	T1074.002	Remote Data Staging	ToddyCat manually transferred collected files to an exfiltration host using xcopy.²
enterprise	T1567	Exfiltration Over Web Service	-
enterprise	T1567.002	Exfiltration to Cloud Storage	ToddyCat has used a DropBox uploader to exfiltrate stolen files.²
enterprise	T1190	Exploit Public-Facing Application	ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations.¹
enterprise	T1083	File and Directory Discovery	ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension.²
enterprise	T1564	Hide Artifacts	-
enterprise	T1564.003	Hidden Window	ToddyCat has hidden malicious scripts using `powershell.exe -windowstyle hidden`. ²
enterprise	T1562	Impair Defenses	-
enterprise	T1562.004	Disable or Modify System Firewall	Prior to executing a backdoor ToddyCat has run `cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683` to allow the targeted system to receive UDP packets on port 49683.²
enterprise	T1680	Local Storage Discovery	ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.²
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Resource Name or Location	ToddyCat has used the name `debug.exe` for malware components.¹
enterprise	T1106	Native API	ToddyCat has used `WinExec` to execute commands received from C2 on compromised hosts.²
enterprise	T1095	Non-Application Layer Protocol	ToddyCat has used a passive backdoor that receives commands with UDP packets.²
enterprise	T1069	Permission Groups Discovery	-
enterprise	T1069.002	Domain Groups	ToddyCat has executed `net group "domain admins" /dom` for discovery on compromised machines.²
enterprise	T1566	Phishing	-
enterprise	T1566.003	Spearphishing via Service	ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.¹
enterprise	T1057	Process Discovery	ToddyCat has run `cmd /c start /b tasklist` to enumerate processes.²
enterprise	T1021	Remote Services	-
enterprise	T1021.002	SMB/Windows Admin Shares	ToddyCat has used locally mounted network shares for lateral movement through targated environments.²
enterprise	T1018	Remote System Discovery	ToddyCat has used `ping %REMOTE_HOST%` for post exploit discovery.²
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task	ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.²
enterprise	T1518	Software Discovery	-
enterprise	T1518.001	Security Software Discovery	ToddyCat can determine is Kaspersky software is running on an endpoint by running `cmd /c wmic process where name="avp.exe"`.²
enterprise	T1049	System Network Connections Discovery	ToddyCat has used `netstat -anop tcp` to discover TCP connections to compromised hosts.²
enterprise	T1078	Valid Accounts	-
enterprise	T1078.002	Domain Accounts	ToddyCat has used compromised domain admin credentials to mount local network shares.²
enterprise	T1047	Windows Management Instrumentation	ToddyCat has used WMI to execute scripts for post exploit document collection.²

Software

ID	Name	References	Techniques
S0020	China Chopper	¹	Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0154	Cobalt Strike	²	Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1101	LoFiSe	²	Archive Collected Data Automated Collection Data from Local System Local Data Staging:Data Staged File and Directory Discovery DLL:Hijack Execution Flow
S0039	Net	²	Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104	netstat	²	System Network Connections Discovery
S1100	Ninja	¹	Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Non-Standard Encoding:Data Encoding Data Obfuscation Protocol or Service Impersonation:Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Environmental Keying:Execution Guardrails File and Directory Discovery DLL:Hijack Execution Flow Timestomp:Indicator Removal Inter-Process Communication Local Storage Discovery Match Legitimate Resource Name or Location:Masquerading Native API Non-Application Layer Protocol Encrypted/Encoded File:Obfuscated Files or Information Compression:Obfuscated Files or Information Spearphishing via Service:Phishing Process Discovery Process Injection Multi-hop Proxy:Proxy Internal Proxy:Proxy Scheduled Transfer Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Malicious File:User Execution
S1102	Pcexter	²	Data from Local System Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery DLL:Hijack Execution Flow
S0097	Ping	²	Remote System Discovery
S1099	Samurai	¹	Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Symmetric Cryptography:Encrypted Channel File and Directory Discovery Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Compression:Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Proxy Query Registry Software Discovery

G1022 ToddyCat

Techniques Used

Software

References