Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS.
The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN).
“LAGTOY can be used to create reverse shells and execute commands on infected endpoints,” Cisco Talos researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White said.
The malware was first documented by Google-owned Mandiant in late March 2023, attributing its use to a threat actor it tracks as UNC961. The activity cluster is also known by other names such as Gold Melody and Prophet Spider.
The threat actor has been observed leveraging a huge arsenal of known security flaws in internet-facing applications to obtain initial access, followed by conducting reconnaissance, credential harvesting, and LAGTOY deployment within a span of a week.
The attackers also open SSH connections to a remote host to download a forensics tool called Magnet RAM Capture to obtain a memory dump of the machine in a likely attempt to gather the victim’s credentials.
LAGTOY is designed to contact a hard-coded command-and-control (C2) server to retrieve commands for subsequent execution on the endpoint. It can be used to create processes and run commands under specified users with corresponding privileges, per Mandiant.
The malware is also equipped to process three commands from the C2 server with a Sleep interval of 11000 milliseconds between them.
“After a lull in activity of approximately three weeks, we observed the CACTUS ransomware group make its way into the victim enterprise using credentials stolen by ToyMaker,” Talos said.
“Based on the relatively short dwell time, the lack of data theft and the subsequent handover to CACTUS, it is unlikely that ToyMaker had any espionage-motivated ambitions or goals.”
In the incident analyzed by Talos, the CACTUS ransomware affiliates are said to have conducted reconnaissance and persistence activities of their own prior to data exfiltration and encryption. Also observed are multiple methods to set up long-term access using OpenSSH, AnyDesk, and eHorus Agent.
“ToyMaker is a financially-motivated initial access broker (IAB) who acquires access to high-value organizations and then transfers that access to secondary threat actors who usually monetize the access via double extortion and ransomware deployment,” the company said.
