Samurai Backdoor Used by New Threat Actor

A relatively new threat actor has pulled off multiple attacks against big targets in both Europe and Asia. The hacker group has been dubbed "ToddyCat" and one of the tools used by the outfit is the Samurai backdoor.

ToddyCat has been around for a couple of years, initially targeting entities located in Taiwan and Vietnam, starting in the last month of 2020. Since then the criminal outfit has included organizations located in Europe on its list of targets.

Initially, ToddyCat used a previously unknown vulnerability in Mircosoft Exchange to attack servers located in Asian countries. Attacks used a dropper that takes care of deploying the other components used in the attack. It also creates a number of new registry keys and adds them to the victim system's registry. This is done to force the loading of the Samurai backdoor through svchost.exe - a legitimate component of a Windows system.

The Samurai backdoor itself is coded in C# and operates by listening for special requests that have encrypted C# code in them. The code received in this way is compiled, then executed by the backdoor at runtime.

The name Samurai comes from the use of dictionaries containing the word "samurai" in them, used for storing the current directory that the malware is active in.

The backdoor can compile five separate modules received as code, including modules responsible for remote control, file enumeration and theft as well as proxy functionality.

June 23, 2022