ToddyCat’s New Hacking Tools
ToddyCat’s new hacking tools give attackers deeper access to corporate email systems. The group uses custom scripts and advanced techniques to steal sensitive information. Moreover, these tools help the attackers collect tokens and mail files from compromised networks. The activity shows continued evolution in their operations.
Stealing OAuth Tokens
The attackers use a tool that captures OAuth 2.0 tokens from a victim’s browser. These tokens allow long-term access to corporate mail. Additionally, attackers can use them outside the compromised network. Therefore, stolen tokens become a powerful foothold for later actions.
Long-Term Campaign Across Regions
Reports say ToddyCat has operated since 2020 across Europe and Asia. The group often deploys multiple tools to maintain access. For example, it uses variants designed to gather browser cookies and saved credentials. These methods help attackers expand their reach inside networks.
Exploiting Software Flaws
In one earlier incident, the group exploited a scanning tool vulnerability. They used it to install a new malware family. However, this attack also revealed their interest in using overlooked software weaknesses. The pattern suggests ongoing efforts to find new entry points.
Updated TomBerBil Variant
Between May and June 2024, researchers detected a new PowerShell version of TomBerBil. This version extracts data from browsers such as Firefox. Additionally, it runs on domain controllers with privileged rights. Therefore, it can reach shared files across the network.
How TomBerBil Collects Data
The malware launches through a scheduled task that runs a PowerShell command. It searches for history, cookies, and credentials over SMB. Furthermore, it collects encrypted files and the keys needed to decrypt them. This combination allows attackers to recover sensitive information offline.
Changes in the New Version
The older version decrypted files during the user session. However, the new server version copies key files and decrypts them later. This change improves flexibility and reduces detection risks. Attackers then process all stolen files locally.
Extracting Outlook Email Files
ToddyCat uses another tool called TCSectorCopy to copy Outlook OST files. It bypasses restrictions that block access when the app is open. Additionally, the tool reads the disk as a device and copies sectors directly. Attackers then decode the contents using a public viewer.
Stealing Cloud Access Tokens
The group also targets Microsoft 365 access tokens stored in memory. They use an open-source tool to scan for plain-text tokens. However, in one case, security software blocked the attempt. The attackers then switched to a different dumping tool to bypass this defense.
Constant Improvement of Techniques
Reports note that ToddyCat continues to refine its approaches. The group searches for quieter ways to access email systems. Moreover, they adapt quickly to new security measures. Their consistency shows long-term commitment to stealthy operations.
Prevention and Protection
Organizations should monitor privileged systems closely and apply strong detection policies. They should also use managed threat-hunting services and continuous monitoring tools that alert teams to suspicious PowerShell activity or unauthorized token access. These measures help stop intrusions before attackers reach sensitive email data.
Sleep well, we got you covered.
