Recent cybersecurity reports have illuminated the activities of an initial access broker (IAB) known as ToyMaker, which has been linked to facilitating access for ransomware groups, including the notorious CACTUS. This IAB has been observed actively scanning for vulnerabilities in systems, as well as deploying bespoke malware identified as LAGTOY, also referred to as HOLERUN.
ToyMaker has been assessed with a medium level of confidence as a financially motivated threat actor. This assessment highlights its operational focus on exploiting known weaknesses within internet-facing applications to gain initial access. Researchers from Cisco Talos, including Joey Chen and his team, explained that LAGTOY is capable of creating reverse shells and executing commands on compromised endpoints.
Initially documented by Mandiant in March 2023, LAGTOY’s use has been attributed to a cyber actor designated as UNC961. This group, also known as Gold Melody or Prophet Spider, is recognized for employing a wide range of exploits to infiltrate systems quickly. Following their initial compromise, they conduct reconnaissance, gather credentials, and deploy LAGTOY within approximately a week.
The attackers further establish SSH connections to remote hosts to download a forensic tool named Magnet RAM Capture, ostensibly for obtaining memory dumps that could reveal victim credentials. Researchers have noted that LAGTOY is designed to communicate with a hard-coded command-and-control (C2) server, allowing it to execute commands based on predefined parameters. This functionality facilitates actions under specific user privileges, significantly enhancing the threat actor’s control over infected systems.
After a period of inactivity, the CACTUS ransomware group was observed entering the victim’s enterprise using credentials acquired from ToyMaker’s earlier operations. Cisco Talos reported that this transition occurred without data theft during the initial stage, suggesting that the primary objective of ToyMaker was not espionage but rather financial gain through subsequent ransomware deployment.
In incidents analyzed, the CACTUS affiliates engaged in their reconnaissance and persistence strategies prior to executing data exfiltration and encryption processes. Various techniques for establishing long-term access were employed, including OpenSSH, AnyDesk, and eHorus Agent, indicating a sophisticated level of operational planning by the threat actors.
ToyMaker’s modus operandi aligns closely with several tactics outlined in the MITRE ATT&CK framework. Key tactics potentially utilized include initial access through exploitation of vulnerabilities in software, persistence via credential theft, and privilege escalation to maintain access and control over victim systems. The IAB’s operations reflect a calculated approach to compromise organizations with significant financial resources.
In summation, ToyMaker exemplifies the evolving landscape of cybersecurity threats where initial access brokers play a pivotal role in the cyber-attack lifecycle. Their activities exacerbate challenges for organizations striving to safeguard against ever-more sophisticated breaches and ransomware deployments.
