"The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy. "This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user's browser, which can be used outside the perimeter of the compromised infrastructure to access corporate mail," Kaspersky said in a technical breakdown."
"Kaspersky said it detected a PowerShell variant of TomBerBil (as opposed to C++ and C# versions flagged before) in attacks that took place between May and June 2024, which comes with capabilities to extract data from Mozilla Firefox. A notable feature of this version is that it runs on domain controllers from a privileged user and can access browser files via shared network resources using the SMB protocol."
"The malware, the company added, was launched by means of a scheduled task that executed a PowerShell command. Specifically, it searches for browser history, cookies, and saved credentials in the remote host over SMB. While the copied files containing the information are encrypted using the Windows Data Protection API ( DPAPI), TomBerBil is equipped to capture the encryption key necessary to decrypt the data."
ToddyCat is leveraging new techniques to gain access to corporate email by using a custom tool, TCSectorCopy, to harvest OAuth 2.0 tokens from users' browsers and access mail outside compromised perimeters. The group has targeted organizations across Europe and Asia since 2020 and uses tools such as Samurai and TomBerBil to steal cookies and saved credentials from browsers. A PowerShell variant of TomBerBil was observed running from privileged domain-controller accounts, copying browser files over SMB and capturing DPAPI encryption keys to decrypt the extracted data. The group also exploited an ESET Command Line Scanner flaw to deliver undocumented TCESB malware.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]