ET TOAD Rules Response Guidance

Tutorials, Tips & Tricks
1

What are TOAD Attacks?

Threat actors conduct telephone-oriented attack delivery (TOAD) attacks to engage recipients to follow instructions to call threat actors.

TOAD attacks may be delivered from…

  • a received email that instructs recipients to call a phone number, or
  • a visited domain that directs or redirects visitors to Threat Actors’ lures which provide instructions on how to call them.

Proofpoint researchers have noted that TOAD threat actors ultimately ask callers to install Remote Monitoring and Management (RMM) tools or other malware once they get them on the phone.

Popular RMM tools that have been used are AnyDesk, TeamViewer, Zoho, UltraViewer, NetSupport, and ScreenConnect.

What detection do we have?

Domains used to download the RMM tools and malware are identified as EXPLOIT_KIT. e.g.

  • ET EXPLOIT_KIT TOAD Domain in DNS Lookup
  • ET EXPLOIT_KIT TOAD Domain in TLS SNI

These domains may be owned by legitimate entities and that’s why these rules are also tagged with “compromised_website”.

Also, the visited domains that direct or redirect to instructions to call the Threat Actors are also collapsed into these sigs as they aid lead to the download of malicious payloads.

How to respond to alerts?

This section describes how to respond to these alerts. If you believe a domain is mislabeled as a TOAD, please send us feedback and we will investigate this inquiry further: Feedback & Support - Emerging Threats.

For Domain Owners

The domain and its supporting infrastructure are compromised. Please seek professional services to remediate this situation. Once services are done, please contact ET so we may reevaluate the domain and remove their compromised domain signatures.

For Responders

  • Investigate if the domain has lead to any successful download of an unauthorized RMM tool or malicious payload. Consider using LOLRMM as resource to identify if unauthorized RMM tools were downloaded in your environment.
    • If yes, contact the Victim of the TOAD Domain request and end their communication with the TOAD operator.
    • If no, then investigate why the domain was requested.

References:

2 Likes