Threat Research

Stayin’ Alive – Targeted Attacks Against Telecoms and Government Ministries in Asia – Check Point Research

Securonix

Stayin’ Alive is an active campaign in Asia primarily targeting the telecom sector and government organizations, with activity in Kazakhstan, Uzbekistan, Pakistan, and Vietnam. The operation relies on disposable downloaders/loaders and DLL side-loading, all linked to ToddyCat infrastructure, used to gain initial access and deploy additional payloads. #StayinAlive #ToddyCat

Keypoints

  • Stayin’ Alive is an active campaign in Asia targeting telecoms and government entities, with focus in Kazakhstan, Uzbekistan, Pakistan, and Vietnam.
  • The campaign uses spear-phishing emails delivering archive files that employ DLL side-loading, notably hijacking dal_keepalives.dll in Audinate’s Dante Discovery software (CVE-2022-23748).
  • Multiple unique loaders and downloaders are used, all connected to the same infrastructure tied to the Chinese-affiliated threat actor ToddyCat.
  • Backdoors/loaders are simple, modular, disposable tools used mainly to gain initial access and deploy further payloads.
  • In addition to CurKeep, other loaders (e.g., CurLu, CurCore, CurLog, StylerServ) are observed, all leveraging DLL side-loading or similar techniques to reach C2.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – ‘The campaign leverages spear-phishing emails to deliver archive files utilizing DLL side-loading schemes, most notably hijacking dal_keepalives.dll in Audinate’s Dante Discovery software (CVE-2022-23748).’
  • [T1574.001] DLL Search Order Hijacking – ‘the loader loads a simple backdoor called “CurKeep” by side-loading a DLL (dal_keepalives.dll) from a signed executable.’
  • [T1053.005] Scheduled Task – ‘AppleNotifyService’ is a scheduled task used to maintain persistence for the next execution of the payload.
  • [T1082] System Information Discovery – ‘CurKeep collects information about the infected machine, including the computer name, username, an output of systeminfo, and the directory list under C:Program Files (x86) and C:Program Files.’
  • [T1059] Command and Scripting Interpreter – ‘The payload receives commands via C2, executes them, and returns output; the commands are sent in JSON and separated by “|”.’
  • [T1105] Ingress Tool Transfer – ‘The expected response from the server is a DLL, which is then loaded and mapped in memory.’
  • [T1027] Obfuscated/Encrypted Information – ‘The data is encrypted and base64 encoded in transit (e.g., the JSON “msg” field).’
  • [T1071.001] Web Protocols – ‘The backdoor communicates over HTTP/S to /api/report, /api/shell, or /api/file, with data encoded in JSON.’

Indicators of Compromise

  • [IP] C2/infrastructure – 70.34.201.229, 185.136.163.129, 45.77.171.170, and 7 more IPs
  • [Domain] C2/domains – ns01.nayatel.orinafz.com, admit.pkigoscorp.com, update.certexvpn.com, cdn.pkigoscorp.com, qform3d.in, and 10 more domains
  • [File Hash] CurLu – 6eaa33812365865512044020bc4b95079a1cc2ddc26cdadf24a9ff76c81b1746
  • [File Hash] CurLu – 78faceaf9a911d966086071ff085f2d5c2713b58446d48e0db1ad40974bb15cd
  • [File Hash] CurKeep payload – 295b99219d8529d2cd17b71a7947d370809f4e1a3094a74a31da6e30aa39e719
  • [File Hash] CurLog – 409948cbbeaf051a41385d2e2bc32fc1e59789986852e608124b201d079e5c3c

Read more: https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint