Chinese-speaking APT group ToddyCat launches renewed cyberattacks on high-profile organisations

Researchers from Check Point and Kaspersky have uncovered the group’s new campaigns targeting high-profile Asian organisations primarily in the telecom and government sectors.
Computer, Computer Hardware, Computer Keyboard, Electronics, Hardware, Text, Symbol

Chinese-speaking APT group ToddyCat, known for its cyber-espionage activities, has reemerged with more sophisticated tactics and an evolving malware toolset. Researchers from Check Point Software Technologies recently uncovered a campaign they dubbed ‘Stayin’ Alive,’ primarily targeting organisations in Asian countries, with a focus on the telecom and government sectors.

ToddyCat relies on various downloaders and loaders to infect high-profile organisations across the region. In their analysis, Check Point identified a downloader named CurKeep, which initially targeted countries like Vietnam, Uzbekistan, and Kazakhstan. However, further investigation revealed that this campaign was part of a larger effort aimed at the Asian region.

The Kaspersky researchers also documented ToddyCat’s activities, highlighting a new generation of malware loaders used in recent attacks. Some of these loaders are tailored for specific victims, enhancing the group’s stealth and effectiveness.

One of ToddyCat’s preferred techniques for deploying malware is DLL side-loading. This method involves identifying a legitimate executable file within an application that searches for a specific DLL file in the same directory. The attackers then replace this DLL file with a malicious one. Since the initially executed file is from a legitimate application, it often has digital signatures and may be whitelisted by some security products. ToddyCat leverages this technique to evade detection and execute malicious DLLs.

Previously, ToddyCat exploited vulnerabilities in publicly exposed Microsoft Exchange servers, but they also deliver malware through spear-phishing emails containing malicious archives. These archives include legitimate executables along with rogue side-loaded DLLs.

As the group’s activities continue to evolve, organisations in Asia and beyond need to be vigilant and take steps to protect their systems from these advanced threats, researchers warn.