Full Report
The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said in a detailed report published this week. "
Analysis Summary
# Threat Actor: ToddyCat
## Attribution & Identity
* **Name/Alias:** ToddyCat
* **Actor Type:** Advanced Persistent Threat (APT) / Cyberespionage group.
* **Known Associations:** Attributed by Kaspersky; historically noted for targeting entities in Europe and Asia.
## Activity Summary
Recent activity involves a highly specialized campaign utilizing a new malware tool dubbed **Umbrij**. This campaign focuses on compromising corporate Gmail communications by abusing the Google API and OAuth 2.0 protocol. The actor employs a novel technique termed **Shadow Token via Remote Debug (STRD)** to hijack active browser sessions and bypass multi-factor authentication (MFA) by leveraging existing logged-in states.
## Tactics, Techniques & Procedures
* **Shadow Token via Remote Debug (STRD):** Launching Chromium-based browsers in "headless mode" via a remote debugging port to seize control of an active session.
* **OAuth Abuse:** Obtaining OAuth authorization codes and tokens to access private email resources via legitimate APIs.
* **Persistence:** Establishing scheduled tasks with deceptive names (e.g., `KasperskyEndpointSecurityEDRAvp`) to maintain presence.
* **DLL Side-Loading:** Executing the malicious Umbrij DLL by abusing legitimate, digitally signed binaries.
* **Defensive Evasion:** Use of **ConfuserEx** (an open-source .NET obfuscator) to hide malware code.
* **Token Duplication:** Duplicating the security token of the `explorer.exe` process to operate with the logged-in user's privileges.
* **Browser Profiling:** Parsing "Local State" files in Chrome and Edge to identify and target specific user profiles linked to Google accounts.
**MITRE ATT&CK Mapping (Inferred):**
* T1574.002: Hijack Execution Flow: DLL Side-Loading
* T1053.005: Scheduled Task/Job: Scheduled Task
* T1550.001: Use Alternate Authentication Material: Application Access Token (OAuth)
* T1185: Browser Session Hijacking
## Targeting
* **Sectors:** Corporate entities / Enterprises.
* **Geography:** Historically active across Europe and Asia.
* **Victims:** Specifically targeting organizations using Gmail for corporate communications.
## Tools & Infrastructure
* **Malware:**
* **Umbrij:** A .NET malware designed for API-based email theft.
* **TCSectorCopy:** (Historical) Tool used for stealing Microsoft Outlook data.
* **Abused Legitimate Binaries (Side-loading):**
* `BDSubWiz.exe` (Bitdefender)
* `VSTestVideoRecorder.exe` (Microsoft Visual Studio)
* `GoogleDesktop.exe` (Google - Discontinued)
* **Infrastructure:** Uses local "BackupFiles" directories for data staging; utilizes legitimate Google API endpoints for exfiltration.
## Implications
ToddyCat demonstrates a sophisticated shift from traditional credential harvesting to **session and token-based attacks**. By hijacking authenticated browser sessions, they effectively neutralize Multi-Factor Authentication (MFA) and hardware security keys. The use of headless browsers and remote debugging ports suggests a move toward stealthier, fileless-adjacent techniques that do not rely on high-risk phishing pages, but rather on the persistent compromise of the endpoint.
## Mitigations
* **Endpoint Monitoring:** Monitor for unauthorized use of Chromium command-line flags, specifically `--remote-debugging-port` and `--headless`.
* **Process Auditing:** Track the execution of legitimate but rarely used binaries like `BDSubWiz.exe` or `GoogleDesktop.exe`, especially when spawning child processes or loading unsigned DLLs.
* **OAuth Visibility:** Review Google Workspace / Microsoft 365 logs for unusual API token generation or third-party application permissions granted from unexpected IP addresses.
* **Scheduled Task Hunting:** Audit scheduled task names for masqueraded security software names (e.g., typosquatting of "Kaspersky" or "Microsoft").
* **Application Guarding:** Implement attack surface reduction (ASR) rules to prevent unauthorized DLL side-loading in common productivity folders.