Full Report
Kaspersky experts analyze the ToddyCat APT attacks targeting corporate email. We examine the new version of TomBerBil, the TCSectorCopy and XstReader tools, and methods for stealing access tokens from Outlook.
Analysis Summary
# Threat Actor: ToddyCat APT
## Attribution & Identity
**Identification:** ToddyCat APT (As analyzed by Kaspersky experts). The context suggests this is a distinct threat actor group known for specific attack patterns.
## Activity Summary
The focus of the analyzed activity revolves around **espionage targeting corporate email systems**. The threat actor deployed new versions of their toolset to compromise these environments and exfiltrate sensitive information, specifically targeting access tokens used by Microsoft Outlook.
## Tactics, Techniques & Procedures
- **Email Compromise:** Direct targeting of corporate email infrastructure.
- **Token Theft:** Specific focus on stealing access tokens from Outlook clients.
- **Custom Tooling:** Use of custom malware and utilities for operational execution.
*(Note: Specific MITRE ATT&CK IDs were not provided in the context snippet, but the general activity suggests sub-techniques related to Credential Access (T1003/T1555) and perhaps Execution (T1059) or Collection (T1005).)*
## Targeting
- **Sectors:** Corporate entities (implied by "corporate email" focus).
- **Geography:** Not explicitly mentioned in the context provided.
- **Victims:** Not specifically named, but the victims are organizations utilizing Microsoft Outlook for corporate email.
## Tools & Infrastructure
- **Malware families used:**
- TomBerBil (New version analyzed)
- TCSectorCopy
- XstReader
- **Infrastructure (C2, domains, IPs):** None explicitly detailed in the provided context snippet.
## Implications
ToddyCat APT poses a high risk to organizations relying on Microsoft Outlook, as their focus on stealing Outlook access tokens allows for sustained, stealthy access to sensitive communications without necessarily needing to continually compromise user credentials directly. This indicates a sophisticated focus on persistent access and data exfiltration.
## Mitigations
Specific mitigations should focus on:
- Enhancing monitoring and detection specifically targeting the use of **TomBerBil, TCSectorCopy, and XstReader**.
- Implementing solutions to limit or monitor the access and exfiltration of **Outlook access tokens**.
- Reviewing security configurations surrounding corporate email access points.