The Samurai Backdoor threat is part of the menacing arsenal of a previously unknown APT (Advanced Persistent Threat) group. The cybercriminals started their activities relatively soon with the first signs of their operations being detected in December 2020. More details about the group, its targets, and malware tools, were revealed in a report by researchers. The cybersecurity researchers state that they are tracking this cybercriminal organization as the ToddyCat APT.
Initially, the ToddyCat APT was focused on compromising selected Exchange servers located in Taiwan and Vietnam. However, soon after that, they began targeting numerous organizations in both Europe and Asia by abusing the ProxyLogon vulnerability. One of the end-stage payloads delivered to the compromised systems is the Samurai Backdoor.
To prepare the breached system for the later-stage payloads, the threat actors first deploy a dropper threat. It is responsible for installing the other threatening components and creating several Registry keys capable of forcing the legitimate 'svchost.exe' process to load the Samurai malware. The threat is a modular backdoor that is equipped with several anti-analysis techniques. The infosec researchers note that Samurai has obfuscated with a specific algorithm, several of its functions are assigned random names, and it includes multiple loops and switch cases that cause jumps between instructions.
The different modules of the threat are designed to handle specific tasks, depending on the received commands. So far, the identified corrupted modules are capable of executing arbitrary commands via cmd, manipulating the file system, and uploading selected files from breached systems. Samurai also can establish a connection to a remote IP address and TCP port. If the corresponding command is received, the malware also can forward a payload received via an HTTP request to the remote IP address, or fetch one from there.