Researchers from Kaspersky discovered the threat posed by the advanced persistent threat (APT) ToddyCat group that attacked Microsoft Exchange servers using samurai and ninja.
To be precise, the ToddyCat APT attacked the Microsoft Exchange server using two malicious malware called Samurai Backdoor and Ninja Trojan. The main targets of this attack were the government and military sectors in Europe and Asia.
ToddyCat is arguably a relatively new but sophisticated APT group. Its appearance was first detected by Kaspersky researchers in December 2020, when they attacked Microsoft Exchange servers.
Then in February-March 2021, the Russian cybersecurity company saw a rapid escalation when ToddyCat took advantage of the ProxyLogon vulnerability on Microsoft Exchange servers to attack various organizations in Asia and Europe.
Since September 2021, the group has turned its attention to desktop machines dealing with governmental and diplomatic entities in Asia. The group continues to upgrade its arsenal and will continue its offensive in 2022.
Although the initial infection vector, or exploitation method, of their latest attack is unknown, Kaspersky researchers have conducted a thorough analysis of the malware used in the attack. ToddyCat uses Samurai Backdoor and Ninja Trojan, two advanced cyber-espionage tools designed to penetrate deep into a target's network of targets, while maintaining their covert mode.
Samurai is a modular backdoor; it is a late-level component of an attack that allows attackers to remotely manage systems and move alongside or on the side of a compromised network. This malware stands out because it uses multiple control flow and case statements to jump between instructions, making it very difficult to trace the sequence of actions in the code.
In addition, this malware is used to launch a new malware called Ninja Trojan, a complex collaborative tool that allows multiple operators to work simultaneously on the same machine.
While Ninja Trojan also provides a large command set, which allows attackers to control remote systems while avoiding detection. These Trojans are usually loaded into the device's memory and launched by various loaders.
Ninja Trojan begins its operations by retrieving configuration parameters from an encrypted payload, then infiltrates deep into the network it infects. The malware's capabilities include managing the file system, starting a reverse shell, forwarding TCP packets, and even taking over the network for a period of time, which can be dynamically configured using certain commands.
This malware also resembles some well-known post-exploitation frameworks, such as CobaltStrike, with the Ninja feature that allows this malware to limit the number of direct connections from the targeted network to remote command and control systems without internet access.
In addition, this malware can control HTTP indicators and disguise malicious traffic into HTTP requests so that they look safe by modifying HTTP headers and URL paths. This ability makes Ninja Trojan very stealthy.
"ToddyCat is a sophisticated threat group with high technical capabilities, capable of evading detection and infiltrating high-level organizations. Despite the number of loaders and attacks discovered over the past year, we still don't have a complete view of their operations and tactics. ToddyCat is that it focuses on advanced malware capabilities - the Ninta Trojan is so called for its capabilities - which are difficult to detect and therefore difficult to stop," explained Giampolo Dedola, Kaspersky security expert, in a statement received by us.
"The best way to deal with a threat like this is to use multiple defenses, which provide information about internal assets and are always up-to-date with the latest threat intelligence," he concluded.