urlscan.io logo urlscan.io
SecurityTrails logo

securityonline.info Open in urlscan Pro
2a05:d014:776:a63e:ceb:15ad:bbb7:6a9d  Public Scan

Back to summary
URL: https://securityonline.info/researcher-identifies-toddycat-inspired-apt-attack-leveraging-icmp-backdoor-and-microsoft-exchan...
Submission: On November 26 via api from IN — Scanned from DE

Form analysis 2 forms found in the DOM

https://securityonline.info/

<form role="search" class="search-form" action="https://securityonline.info/"><label><span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" name="s"></label>
  <input type="submit" class="search-submit" value="Search">
</form>

https://securityonline.info/

<form role="search" class="search-form" action="https://securityonline.info/"><label><span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" name="s"></label>
  <input type="submit" class="search-submit" value="Search">
</form>

Text Content

Skip to content

Cybersecurity News


 * Search for:

 * Home
 * Cyber Security
 * Data Leak
 * Linux
 * Malware Attack
 * Open Source Tool
 * Technology
 * Vulnerability
 * Windows

 * Home
 * Cyber Security
 * Data Leak
 * Linux
 * Malware Attack
 * Open Source Tool
 * Technology
 * Vulnerability
 * Windows

Search for:

Cybersecurity News


 * Cyber Security / Malware


RESEARCHER IDENTIFIES TODDYCAT-INSPIRED APT ATTACK LEVERAGING ICMP BACKDOOR AND
MICROSOFT EXCHANGE FLAWS

by do son · September 3, 2024

Image: Kaspersky


Cybersecurity researchers at Kaspersky’s Global Emergency Response Team (GERT)
have uncovered a sophisticated attack involving an ICMP backdoor, bearing
striking similarities to the tactics used by the ToddyCat APT group. This
discovery was made during an investigation into suspicious activity on a
client’s domain controllers and Exchange servers.

The attackers exploited a combination of vulnerabilities, including the
Microsoft Exchange server remote code execution flaw (CVE-2021-26855) and an
older, patched IKEEXT service vulnerability, to gain initial access and
establish persistence.

One of the more intriguing aspects of this attack was the abuse of the IKEEXT
service, a default component in Windows systems responsible for managing
Internet Key Exchange (IKE) protocols. The attackers re-purposed an old
vulnerability related to the wlbsctrl.dll library—a flaw first reported and
patched by Microsoft in 2012—to achieve persistence. By planting a malicious
version of wlbsctrl.dll in the system32 directory, the threat actors ensured
that their backdoor would be executed each time the IKEEXT service was invoked,
without needing to modify standard autorun configurations.

Image: Kaspersky

The attackers further exploited the IKEEXT service to perform lateral movement
across the compromised network. By leveraging the Server Message Block (SMB)
protocol, they established a custom firewall rule—codenamed “DLL
Surrogate”—which enabled the malicious dllhost.exe to listen on port 52415. This
allowed the threat actor to move laterally with minimal detection, spreading
their foothold across the organization’s infrastructure.

The attackers then deployed a custom ICMP backdoor, allowing them to maintain
covert access to the compromised system. This backdoor, acting as a loader,
decrypts and executes payloads stored within the Windows registry, ultimately
leading to the establishment of a raw ICMP socket for communication.

Image: Kaspersky

Kaspersky’s analysis of the backdoor revealed that it operated as a loader,
executing a series of complex actions to establish persistence and conceal its
activities:

 * Mutex Checking and Termination: The backdoor first checked for a specific
   mutex in memory, terminating if the mutex was already present to avoid
   multiple instances running simultaneously.
 * Payload Retrieval and Execution: The backdoor then attempted to decrypt a
   file stored in the Windows directory, using a combination of AES encryption
   with keys derived from the volume serial number of the C drive. The decrypted
   payload was then stored in the Windows registry and executed in memory,
   ensuring that the malicious code remained hidden from disk-based detection
   tools.
 * Shellcode Injection: The decrypted payload, identified by its “CAFEBABE”
   header—a marker commonly associated with Java Class files—was loaded into
   memory and executed. This payload was designed to create a raw ICMP socket,
   allowing the system to receive and execute commands from the threat actor
   without establishing an outbound connection, thereby minimizing the risk of
   detection.

While attribution remains uncertain, the attack’s tactics, techniques, and
procedures (TTPs) align closely with those observed in previous campaigns
associated with the ToddyCat APT group.


RELATED POSTS:

 * ToddyCat’s Stealthy Assault: Asian Nations in the Crosshairs
 * ToddyCat: Unveiling the Stealthy APT Group Targeting Asia-Pacific Governments


Share







Tags: CVE-2021-26855ICMP BackdoorMicrosoft ExchangeToddyCat APT

Follow:

 * 
 * 
 * 
 * 
 * 


SEARCH


Visit Penetration Testing Tools & The Information Technology Daily

Support Securityonline.info site. Thanks!


 * Vulnerability
   
   QNAP Patches Critical Zero-Day Exploited at Pwn2Own Ireland 2024 –
   CVE-2024-50388
   
   October 30, 2024

 * Vulnerability
   
   PoC Exploit Releases for Critical Symlink Flaw in Apple’s iOS –
   CVE-2024-44258
   
   November 5, 2024

 * Vulnerability
   
   CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog
   
   November 12, 2024

 * Vulnerability
   
   From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape
   
   November 18, 2024

 * Vulnerability
   
   CVE-2024-11477: 7-Zip Vulnerability Allows Remote Code Execution, Update Now!
   
   November 24, 2024



Reward


BRILLIANTLY

SAFE!




securityonline.info


CONTENT & LINKS

Verified by Sur.ly



2022


WEBSITE

 1. About SecurityOnline.info
 2. Advertise on SecurityOnline.info
 3. Contact



 * About Us
 * Contact Us
 * Disclaimer
 * Privacy Policy
 * DMCA NOTICE
 * Sponsors
 * Join Us
 * Member Login
 * Thank You
 * Membership Renewal

Cybersecurity News © 2024. All Rights Reserved.

 * 
 * 
 * 
 * 
 * 

x
✕


DATENSCHUTZ & TRANSPARENZ

securityonline.info und unsere Partner bitten um Ihre Zustimmung zur Nutzung
Ihrer persönlichen Daten sowie zum Speichern und/oder Zugreifen auf
Informationen auf Ihrem Gerät. Dazu gehört die Nutzung Ihrer persönlichen Daten
für personalisierte Werbung und Inhalte, Werbe- und Inhaltsmessung,
Publikumsforschung und die Entwicklung von Dienstleistungen. Ein Beispiel für
die Verarbeitung von Daten könnte ein eindeutiger Identifikator sein, der in
einem Cookie gespeichert wird. Ihre persönlichen Daten können von 911 Partnern
gespeichert, abgerufen und geteilt werden oder speziell von dieser Seite genutzt
werden. Sie können Ihre Einstellungen jederzeit ändern oder Ihre Zustimmung
zurückziehen; der Link dazu befindet sich in unserer Datenschutzrichtlinie am
Ende dieser Seite. Einige Anbieter können Ihre persönlichen Daten auf Grundlage
eines berechtigten Interesses verarbeiten, gegen das Sie durch Verwalten Ihrer
Einstellungen unten Einspruch erheben können.



Einstellungen verwalten Nur notwendige Cookies Weiter mit den empfohlenen
Cookies

Anbieter-Liste | Datenschutzerklärung