Recent cybersecurity investigations have unveiled the operations of an initial access broker (IAB) known as ToyMaker, who has been instrumental in providing entry points to ransomware groups, notably CACTUS, enabling them to execute double extortion schemes. This financially driven threat actor employs a custom malware named LAGTOY, also referred to as HOLERUN, to infiltrate vulnerable systems.
LAGTOY is engineered to establish reverse shells and execute commands on compromised endpoints. Its primary function is to facilitate unauthorized access, allowing attackers to control infected systems remotely. The malware’s capabilities include creating processes and running commands under specified user privileges, thereby granting attackers significant control over the compromised environment.
The initial detection of LAGTOY was reported by Mandiant in March 2023, attributing its deployment to a threat actor identified as UNC961. This group, also known by aliases such as Gold Melody and Prophet Spider, is recognized for exploiting known vulnerabilities in internet-facing applications to gain initial access. Following infiltration, they conduct thorough reconnaissance, harvest credentials, and deploy LAGTOY within approximately one week.
A notable tactic employed by ToyMaker involves establishing Secure Shell (SSH) connections to remote hosts to download forensic tools like Magnet RAM Capture. This tool is utilized to obtain memory dumps from the compromised machine, likely in an effort to extract sensitive information, including credentials.
LAGTOY operates by connecting to a hard-coded command-and-control (C2) server to receive instructions for execution on the infected endpoint. The malware processes commands with a sleep interval of 11,000 milliseconds between them, indicating a deliberate approach to avoid detection.
In observed incidents, after an initial period of inactivity lasting approximately three weeks, the CACTUS ransomware group utilized the access provided by ToyMaker to infiltrate victim enterprises. The relatively short dwell time, absence of data theft, and subsequent handover to CACTUS suggest that ToyMaker’s objectives are financially motivated rather than espionage-driven.
Upon gaining access, CACTUS affiliates conduct their own reconnaissance and establish persistence mechanisms before proceeding with data exfiltration and encryption. They employ various methods to maintain long-term access, including the use of OpenSSH, AnyDesk, and eHorus Agent.
The collaboration between ToyMaker and ransomware groups like CACTUS underscores the evolving landscape of cyber threats, where specialized actors focus on different stages of an attack. Initial access brokers like ToyMaker play a crucial role by breaching systems and selling access to ransomware operators, who then execute the final stages of the attack, including data theft and encryption.
This division of labor among cybercriminals enhances the efficiency and effectiveness of attacks, making it imperative for organizations to adopt comprehensive cybersecurity measures. Regularly updating and patching systems, conducting thorough security assessments, and implementing robust monitoring can help detect and mitigate such threats.
The emergence of sophisticated malware like LAGTOY highlights the need for continuous vigilance and adaptation in cybersecurity strategies. Organizations must stay informed about evolving threats and collaborate with cybersecurity experts to develop and implement effective defense mechanisms.
In conclusion, the activities of ToyMaker and the deployment of LAGTOY serve as a stark reminder of the persistent and evolving nature of cyber threats. By understanding the tactics, techniques, and procedures employed by such threat actors, organizations can better prepare and protect themselves against potential attacks.
