Summary: ToddyCat— an Advanced Persistent Threat or APT gang, has been targeting and exploiting the vulnerable Exchange Servers throughout Europe and Asia since December 2020. The APT gang is mostly targeting high-profile entities. Learn how ToddyCat exploits the Exchange Servers and the steps to protect your Exchange Servers and networks from such sophisticated malicious attacks.
ToddyCat, an Advanced Persistent Threat (APT) gang,has been targeting and exploiting vulnerable Exchange Servers throughout Europe and Asia since December 2020. Between December 2020 and February 2021, the gang targeted and attacked a limited number of entities in Vietnam and Taiwan. The gang exclusively attacked Exchange Servers previously compromised with Samurai — an advanced passive backdoor that works on 443 and 80 ports.
They used the malware to execute arbitrary code and multiple modules to remotely administer, control, and move laterally into the targeted network. In some cases, the Samurai backdoor was also used to run another sophisticated Trojan cum loader called Ninja. They also used the China Chopper, a 4 KB web shell, to get access to the server and download and execute another dropper.
However, the ToddyCat APT gang started attacking more servers between February 2021 and May 2021. During this wave of attacks, the gang exploited the infamous ProxyLogon RCE vulnerability in the unpatched Exchange Servers. This time the gang targeted many prominent countries, including Russia, Afghanistan, India, Iran, Malaysia, Pakistan, Slovakia, Thailand, and United Kingdom.
In the next wave of attacks — until February 2022 — the ToddyCat gang increased the scope of attacks and targeted organizations in Indonesia, Kyrgyzstan, and Uzbekistan, in addition to the previously targeted countries.
To protect and safeguard your Exchange Server and network infrastructure from ToddyCat or ransomware attacks, install the latest Cumulative Updates and Security Updates on your Exchange Server to patch the vulnerabilities. Also, consider upgrading to the latest version, if your organization is using an older Exchange Server version.
In addition, follow the below steps to check your server health and detect vulnerabilities.
The Microsoft Safety Scanner or MSERT tool scans servers for any malware or web shells installed on your Windows Server environment and removes them from the system. Here’s how to use it:
You can download the HealthChecker.ps1 script from the official GitHub page and follow the steps below to execute it on your Microsoft Exchange Server 2013, 2016, or 2019. The script helps you check the server’s health, detect vulnerabilities, and patch them. Follow these steps:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
You can follow our detailed guide to download and install the latest Exchange Server Updates.
ToddyCat is not a new but lesser-known APT gang that has been targeting Microsoft Exchange Servers since December 2020. It’s a sophisticated APT gang that uses various techniques to stay low profile and avoid detection. They target previously compromised or vulnerable and unpatched Microsoft Exchange Servers to steal or encrypt data for a ransom. It has affected government and private entities, including the military, mostly in Asia and Europe. The best defense against ToddyCat or ransomware groups is to install the latest Cumulative and Security Updates released by Microsoft as soon as possible. However, if your server is compromised or crashed due to ToddyCat or any other malicious attack, it is recommended that you set up a new server and restore the mailbox databases from the backup or use Exchange recovery software, such as Stellar Repair for Exchange.
Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 7 years of experience in technical writing. He writes about Microsoft Exchange, Microsoft 365, Email Migration, Linux, Windows, Mac, DIY Tech, and Smart Home. Ravi spends most of his weekends working with IoT (DIY Smart Home) devices and playing Overwatch. He is also a solo traveler who loves hiking and exploring new trails.
Software recommended by MVPs & AdministrRead More
5-in-1 suite of specialized tools, highlRead More
Stellar Converter for EDB is a professioRead More
Powerful software trusted by Microsoft MRead More