Inner workings of ToyMaker IAB examined

Initial access broker ToyMaker has been providing Cactus ransomware gang and other double extortion threat operations access to compromised systems, The Hacker News reports. Vulnerable systems are being targeted by ToyMaker with the custom LAGTOY malware, also known as HOLERUN, which facilitates reverse shell creation and command execution, according to a Cisco Talos analysis. ToyMaker's LAGTOY malware also establishes openSSH connections to load the Magnet RAM Capture tool that seeks to obtain victims' credentials while fetching a trio of commands executed with a sleep interval of 11,000 milliseconds between each other. The Cactus ransomware group, which performed its own reconnaissance and persistence operations, infiltrated the victim's network using ToyMaker-stolen credentials within almost three weeks. "Based on the relatively short dwell time, the lack of data theft and the subsequent handover to CACTUS, it is unlikely that ToyMaker had any espionage-motivated ambitions or goals," said the report.