Microsoft Exchange servers across Europe and Asia have been targetted by advanced persistent threat actors since around December 2020, Bleeping Computer reports.
Researchers have identified the group behind the threat as ToddyCat.
Kaspersky researchers tracking the group’s activity found a new passive backdoor and trojan malware, dubbed Samurai and Ninja Trojan, respectively.
The backdoor and malware allow attackers to control infected systems and move within the victim’s networks.
“We suspect that this group started exploiting the Microsoft Exchange vulnerability in December 2020, but unfortunately, we don’t have sufficient information to confirm the hypothesis,” Kaspersky security researcher Giampaolo Dedola said.
“In any case, it’s worth noting that all the targeted machines infected between December and February were Microsoft Windows Exchange servers; the attackers compromised the servers with an unknown exploit, with the rest of the attack chain the same as that used in March.”
The group was relatively inactive — only infecting a few government organisations in Vietnam and Taiwan — until February 2021. However, it ramped up its efforts during the second wave of attacks between February and May 2021.
During the second wave, it rapidly expanded to organisations from many countries worldwide, including Russia, India, Iran, and the United Kingdom.
In the third wave, from May 2021 to February 2022, ToddyCat added organisations from Indonesia, Uzbekistan, and Kyrgyzstan to the cluster it attacked during the previous wave.
ToddyCat also expanded its focus to include desktop systems during the third wave. Before that, it had exclusively targetted Microsoft Exchange servers.
Kaspersky noted that ToddyCat’s activities aligned with Chinese-backed hackers using the FunnyDream backdoor to some extent.
However, it added that there is no concrete evidence to prove that the malware strains interact.
“Despite the occasional proximity in staging locations, we have no concrete evidence of the two malware families directly interacting (for instance, one deploying the other), and the specific directories are frequently used by multiple attackers,” Dedola said.