LONDON (IT BOLTWISE) – Hacker group ToddyCat has developed new techniques to access corporate emails. They use specially developed tools to steal Outlook data and Microsoft 365 access tokens.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
Since its formation in 2020, the hacker group ToddyCat has made a name for itself by targeting companies in Europe and Asia. Their latest strategy involves the use of a customized tool called TCSectorCopy, specifically designed to access corporate emails. This method allows attackers to obtain OAuth 2.0 authorization protocol tokens by exploiting the user’s browser. These tokens can then be used outside of the compromised infrastructure to access corporate email.
Another notable tool in their arsenal is TomBerBil, which exists in different variants. The latest version, discovered in attacks between May and June 2024, is a PowerShell variant specifically designed to extract data from Mozilla Firefox. This version runs on domain controllers with privileged user rights and can access browser files via the SMB protocol. The stolen files are encrypted using the Windows Data Protection API (DPAPI), but TomBerBil is able to capture the necessary decryption key.
Another target of the attackers is the company emails stored in Microsoft Outlook, which are in the form of OST files. Using TCSectorCopy, a tool written in C++, the attackers can copy these files sector by sector, even when the application is running. The extracted content is then analyzed using XstReader, an open source Outlook file viewer.
Additionally, attackers attempt to obtain access tokens directly from storage, particularly for organizations that use the Microsoft 365 cloud service. This uses an open source C# tool called SharpTokenFinder, which searches Microsoft 365 applications for plain text authentication tokens. In one case, an attempt to dump the Outlook.exe process was blocked by security software. To overcome this hurdle, the attackers used the ProcDump tool from the Sysinternals package to create a memory dump of the Outlook process.
The continued development of its techniques shows that the ToddyCat group is committed to obfuscating its activities and gaining access to corporate correspondence within the compromised infrastructure. These developments underscore the need for organizations to continually review and adapt their security measures to counter such threats.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “ToddyCat: New Methods for Email Theft”.