Elusive ToddyCat APT Targets Microsoft Exchange Servers

An advanced persistent threat (APT) group, dubbed ToddyCat, is believed behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe. The campaigns, according to researchers, began in December 2020, and have been largely poorly understood in their complexity until now. “The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443,” wrote Giampaolo Dedola security researcher at Kaspersky, in a report outlining the APT. Researchers said ToddyCat a is relatively new APT and there is “little information about this actor.” The APT leverages two passive backdoors within the Exchange Server environment with malware called Samurai and Ninja, which researchers say are used by the adversaries to take complete control of the victim’s hardware and network. The Samurai malware was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam from December 2020, reports Kaspersky. The researchers stated that the malware “arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network.” In some cases, they said, the Samurai backdoor lays the path to launch another malicious…