Recent investigations by cybersecurity experts have uncovered the operations of an initial access broker (IAB) known as ToyMaker. This entity has been linked to providing access to ransomware groups, including the notorious CACTUS, enabling them to execute double extortion attacks.

Understanding ToyMaker's Operations

ToyMaker is identified as a financially motivated threat actor. It targets vulnerable systems and deploys a custom malware named LAGTOY, also referred to as HOLERUN. This malware is capable of creating reverse shells and executing commands on compromised endpoints.

LAGTOY Malware Capabilities

The LAGTOY malware was initially documented by Mandiant in March 2023, attributed to a threat actor labeled UNC961. This group, also known as Gold Melody and Prophet Spider, exploits known vulnerabilities in internet-facing applications to gain initial access. Within a week, they conduct reconnaissance, harvest credentials, and deploy LAGTOY.

  • Command Execution: LAGTOY connects to a hard-coded command-and-control (C2) server to receive and execute commands.
  • Privilege Management: It can create processes and run commands under specific user privileges.
  • Communication Interval: The malware processes three commands from the C2 server with a sleep interval of 11,000 milliseconds between them.

Exploiting Vulnerabilities for Access

The attackers utilize SSH connections to download tools like Magnet RAM Capture, aiming to extract memory dumps and gather credentials. This access is then sold to ransomware groups such as CACTUS, who further exploit the compromised systems.

CACTUS Ransomware Activities

Following a brief period of inactivity, CACTUS ransomware affiliates infiltrated the victim's network using credentials obtained by ToyMaker. They conducted their reconnaissance and persistence operations before proceeding with data exfiltration and encryption.

  • Long-term Access: Methods such as OpenSSH, AnyDesk, and eHorus Agent were employed to maintain access.
  • Financial Motivation: ToyMaker's actions suggest a lack of espionage intent, focusing instead on monetizing access through ransomware deployment.
The link has been copied!