Description
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
Techniques Used (TTPs)
- T1005 — Data from Local System (collection)
- T1069.002 — Domain Groups (discovery)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1566.003 — Spearphishing via Service (initial-access)
- T1087.002 — Domain Account (discovery)
- T1095 — Non-Application Layer Protocol (command-and-control)
- T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1106 — Native API (execution)
- T1057 — Process Discovery (discovery)
- T1018 — Remote System Discovery (discovery)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
- T1049 — System Network Connections Discovery (discovery)
- T1021.002 — SMB/Windows Admin Shares (lateral-movement)
- T1059.003 — Windows Command Shell (execution)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1567.002 — Exfiltration to Cloud Storage (exfiltration)
- T1518.001 — Security Software Discovery (discovery)
- T1059.001 — PowerShell (execution)
- T1564.003 — Hidden Window (defense-evasion)
- T1083 — File and Directory Discovery (discovery)
- T1074.002 — Remote Data Staging (collection)
- T1047 — Windows Management Instrumentation (execution)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1082 — System Information Discovery (discovery)
- T1560.001 — Archive via Utility (collection)
Total TTPs: 25
Malware & Tools
Malware: China Chopper, Cobalt Strike, LoFiSe, Ninja, Pcexter, Samurai