known as threat actor Toddycat New methods have been seen being adopted to gain access to corporate email data belonging to targeted companies, including the use of a custom tool called TCSectorCopy.
“This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user’s browser, which can be used outside the perimeter of the compromised infrastructure to access corporate mail,” Kaspersky said in a technical breakdown.
ToddyCat, which is estimated to have been active since 2020, has a track record of targeting various organizations in Europe and Asia with various tools, Samurai and Tomberbill, to gain access to web browsers such as Google Chrome and Microsoft Edge and steal cookies and credentials.
Earlier this April, the hacking group was held responsible for exploiting a security flaw in the ESET command line scanner (CVE-2024-11859, CVSS score: 6.8) to distribute a previously unknown malware codenamed TCESB.
Kaspersky said it detected a PowerShell version of TomBerBil (as opposed to the previously identified C++ and C# versions) in the attacks that occurred between May and June 2024, which comes with capabilities to extract data from Mozilla Firefox. A notable feature of this version is that it runs on domain controllers of a privileged user and can access browser files through shared network resources using the SMB protocol.
The company said the malware was launched through a scheduled task that executed Powershell commands. Specifically, it searches for browser history, cookies, and saved credentials in the remote host over SMB. While the copied files containing the information are encrypted using the Windows Data Protection API (DPAPI), TomBerBil is equipped to capture the encryption keys needed to decrypt the data.
“The previous version of Tomberbill ran on the host and copied the user token. As a result, DPAPI was used to capture the master key in the user’s current session and subsequently decrypt files,” the researchers said. “In the new server version, TomBerBil copies files containing user encryption keys used by the DPAPI. Using these keys as well as the user’s SID and password, attackers can decrypt all copied files locally.”
It was also found that threat actors accessed corporate emails stored in local Microsoft Outlook storage as OST (short for Offline Storage Table) files using TCSectorCopy (“xCopy.exe”), bypassing restrictions limiting access to such files when the application is running.
Written in C++, TCSectorCopy accepts as input the file to be copied (in this case, OST files) and then proceeds to open the disk as a read-only device and sequentially copies the file contents sector by sector. Once the OST files are written to a path of the attacker’s choosing, the contents of the electronic correspondence are extracted using XstReader, an open-source viewer for Outlook OST and PST files.
Another tactic adopted by ToddyCat involved attempting to obtain access tokens directly from memory in cases where victim organizations used the Microsoft 365 cloud service. JSON Web Tokens (JWTs) are obtained through an open-source C# tool called SharpTokenFinder, which enumerates Microsoft 365 applications for plain text authentication tokens.
But the threat actor was said to have been dealt a blow in at least one investigated incident, when security software installed on the system blocked SharpTokenFinder’s attempt to dump the Outlook.exe process. To circumvent this restriction, the operator used the ProcDump tool from the Sysinternals package with specific arguments to take a memory dump of the Outlook process.
“TodiCat APT Group is constantly developing its technologies and looking for techniques that will hide activity to gain access to corporate correspondence within the compromised infrastructure,” Kaspersky said.
