October 12, 2023 at 10:34AM
A campaign known as “Stayin’ Alive” has been targeting government organizations and telecom service providers in Asia with disposable malware since 2021, according to cybersecurity firm Check Point. The attacks originate from the Chinese group ToddyCat and use spear-phishing emails to distribute malware loaders and backdoors. Check Point believes there are more undiscovered tools and attack methods involved in the campaign. The tools used are customized and show no code overlaps with known toolsets.
Key Takeaways from Meeting Notes:
1. A campaign called “Stayin’ Alive” has been targeting government organizations and telecommunication service providers in Asia since 2021.
2. The campaign mainly focuses on Kazakhstan, Uzbekistan, Pakistan, and Vietnam.
3. The attacks are attributed to a Chinese espionage actor known as ‘ToddyCat’ and use spear-phishing emails to deliver various types of malware.
4. The attackers employ custom tools that are likely disposable, making it difficult to link the attacks to each other.
5. The initial attack involves a spear-phishing email with a malicious ZIP file containing a digitally signed executable and a DLL exploiting a vulnerability in Audinate’s Dante Discovery software.
6. The malware “CurKeep” is loaded onto the system as a backdoor after exploiting the vulnerability.
7. CurKeep establishes persistence on the compromised device, sends system information to the command-and-control server, and waits for commands.
8. The campaign utilizes other tools and loaders, including CurLu loader, CurCore, CurLog loader, and StylerServ.
9. CurCore is notable for its ability to create files, execute remote commands, and read files.
10. StylerServ acts as a passive listener monitoring specific ports for an XOR-encrypted configuration file, which likely serves as a configuration mechanism for other malware components.
11. The campaign tailors its samples and variants to specific regional targets.
12. The identified cluster is believed to be part of a larger campaign with undiscovered tools and attack methods.
13. Despite differences in code, all the tools connect to the same infrastructure previously linked to ToddyCat by Kaspersky, indicating Chinese involvement.
Please let me know if there is anything specific you would like me to focus on or further expand upon.