Full Report
The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy. "This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user's browser, which can be used outside the perimeter of the compromised infrastructure to access
Analysis Summary
# Threat Actor: ToddyCat
## Attribution & Identity
- **Identification:** Threat actor known as ToddyCat.
- **Aliases/Associations:** None explicitly mentioned beyond the primary name. Assessed to be active since 2020.
## Activity Summary
ToddyCat has been observed deploying new methods to access and steal corporate email data from targeted organizations. Recent activities show a focus on obtaining access tokens for the OAuth 2.0 protocol and exfiltrating data from Microsoft Outlook. The actor constantly develops new techniques to hide activity and gain continued access to corporate correspondence.
## Tactics, Techniques & Procedures
- **New Access/Token Acquisition (OAuth 2.0):** Obtaining tokens for the OAuth 2.0 authorization protocol using the user's browser, allowing post-compromise access outside the network perimeter.
- **Email Data Access (Local Outlook):** Bypassing restrictions to access corporate emails stored in local Microsoft Outlook OST files while the application is running, by copying the files sector-by-sector.
- **Credential/Cookie Theft (Browser):** Historical/ongoing use of tools to steal cookies and credentials from web browsers (Google Chrome, Microsoft Edge, Mozilla Firefox).
- **Persistence/Delivery:** Use of scheduled tasks to execute threat payloads (e.g., PowerShell variants of TomBerBil).
- **Data Exfiltration Preparation (DPAPI):** Copying files containing encryption keys used by Windows Data Protection API (DPAPI) to enable local decryption of stolen browser data using the user's SID and password.
- **Memory Scraping/Dumping:** Attempting to obtain JSON web tokens (JWTs) directly from memory when targets use Microsoft 365, sometimes requiring the use of Sysinternals **ProcDump** to dump the **Outlook.exe** process memory after security software blocked initial attempts with **SharpTokenFinder**.
- **Exploitation (Historical):** Exploitation of a security flaw in ESET Command Line Scanner (CVE-2024-11859) to deliver malware.
## Targeting
- **Sectors:** Corporate organizations (general targeting mentioned).
- **Geography:** Europe and Asia.
- **Victims:** Not explicitly named in the provided text.
## Tools & Infrastructure
- **Custom Tools:**
- **TCSectorCopy:** C++ tool used to copy OST files sector-by-sector by reading the disk as a read-only device.
- **TomBerBil:** Malware previously seen in C++ and C# versions. A newer PowerShell variant targets data from Mozilla Firefox, runs on domain controllers, and searches remote hosts over SMB for browser files.
- **TCESB:** Previously undocumented malware delivered via CVE-2024-11859 exploitation.
- **Third-Party/Open-Source Tools Used:**
- **SharpTokenFinder:** C# tool used to enumerate M365 applications for plaintext authentication tokens.
- **ProcDump:** Used to dump the Outlook process memory when direct access was blocked.
- **XstReader:** Open-source viewer used to extract contents from copied OST files.
- **Infrastructure:** Not explicitly detailed for current operations, but techniques show reliance on domain controllers and SMB for internal movement.
## Implications
ToddyCat demonstrates a highly adaptive approach focused directly on harvesting long-lived session credentials (OAuth tokens) or critical offline email stores (OST files). Their ability to use DPAPI keys alongside stolen credentials grants them comprehensive offline decryption capabilities for sensitive communications, bypassing perimeter security once initial access is established.
## Mitigations
- Implement controls to monitor or restrict the suspicious reading of local Outlook OST files, especially via non-standard processes or direct disk access utilities (like sector copy tools).
- Harden endpoint security to prevent low-level memory manipulation tools like ProcDump from targeting critical processes such as Outlook.exe.
- Review M365/OAuth configuration for excessive long-lived token permissions.
- Strictly control execution of PowerShell commands via scheduled tasks, especially those involving SMB connections to enumerate and copy files from domain controllers or other sensitive endpoints.