October 12, 2023 at 03:42AM
A cyber attack campaign named Stayin’ Alive is targeting government and telecom entities in Asia using basic backdoors and loaders for delivering malware. The campaign’s infrastructure is similar to that used by ToddyCat, a China-linked threat actor known for cyber assaults in Europe and Asia. The attacks start with a spear-phishing email containing a ZIP file attachment with a backdoor called CurKeep. The campaign also uses loader variants and a passive implant named StylerServ. These attacks make detection and attribution difficult due to the use of disposable tools.
Key Takeaways from Meeting Notes:
– High-profile government and telecom entities in Asia have been targeted in an ongoing cyber attack campaign since 2021.
– The campaign deploys basic backdoors and loaders for delivering next-stage malware.
– Cybersecurity company Check Point is tracking the activity under the name Stayin’ Alive.
– Targets include organizations in Vietnam, Uzbekistan, Pakistan, and Kazakhstan.
– The tools used in the campaign are simplistic, disposable, and mostly utilized for downloading and running additional payloads.
– The campaign infrastructure shares overlaps with that used by ToddyCat, a China-linked threat actor known for cyber assaults against government and military agencies.
– The attack chain starts with a spear-phishing email containing a ZIP file attachment that leverages DLL side-loading to load a backdoor called CurKeep.
– CurlKeep sends information about the compromised host to a remote server, executes commands sent by the server, and writes server responses to a file.
– The command-and-control (C2) infrastructure includes loader variants called CurLu, CurCore, and CurLog, capable of receiving DLL files and executing remote commands.
– A passive implant named StylerServ listens on five different ports to accept a remote connection and receive an encrypted configuration file.
– There is no conclusive evidence connecting Stayin’ Alive to ToddyCat, but both use the same infrastructure to target similar organizations.
– The use of disposable loaders and downloaders is becoming more common, making detection and attribution efforts difficult.