Insights, news, education and announcements from PolySwarm

Stayin Alive Campaign Targets Telecoms and Government Entities in Asia

Written by The Hivemind | Oct 27, 2023 5:54:59 PM

Related Families: CurKeep, CurCore, CurLog, CurLu, StylerServ
Verticals Targeted: Telecommunications, Government 

Executive Summary

The Stayin Alive campaign, perpetrated by ToddyCat, was observed targeting telecommunications and government entities in Asia.

Key Takeaways

  • The Stayin Alive campaign was observed targeting telecommunications and government entities in Asia.
  • Malware used in the campaign includes CurKeep, CurLu, CurCore, CurLog, and StylerServ. 
  • The campaign has been loosely attributed to the China nexus threat actor group known as ToddyCat.

The Campaign

Check Point Research recently reported on the ongoing Stayin Alive campaign, which is targeting telecommunications and government entities in Asia. Some of the targets thus far were located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan.

The threat actors use spearphishing emails and DLL sideloading to deliver archive files on victim machines. They have also been observed leveraging CVE-2022-23748, a vulnerability in Audinate’s Dante Discovery Software. Post exploitation, the threat actors deploy loaders and downloaders in the victim environment to facilitate the delivery of additional malicious payloads.

Malware used in the campaign includes CurKeep, CurLu, CurCore, CurLog, and StylerServ. The campaign has been loosely attributed to the China nexus threat actor group known as ToddyCat.

The Malware

CurKeep
CurKeep is a backdoor. It is delivered via an infection chain that begins with an email containing a malicious ZIP attachment. The ZIP attachment contains two files, a legitimate signed .EXE and a side-loaded DLL. When executed, the legitimate executable runs first, which loads the DLL. The DLL then loads CurKeep. CurKeep is a small payload, at only 10kb, and has 26 functions.

CurLu 
CurLu is a loader and is often loaded via DLL sideloading. CurLu contacts the C2 and receives a DLL to load, then calls a predefined export.

CurCore
CurCore is a compact backdoor with limited functionality. CurCore’s capabilities include creating a file and writing data to it, executing a remote command, reading a file, and returning its data encoded in base64.

CurLog
CurLog is a loader that was mainly used in attacks targeting entities in Kazakhstan. Multiple variants exist. Some variants are executed through a DLL, and some via an EXE.

StylerServ 
StylerServ is a backdoor. It differs from ToddyCat’s other loaders in that it acts as a passive listener, serving a specific file over high ports. 

Who is ToddyCat?

ToddyCat is a China nexus threat actor group known to engage in long-term espionage campaigns. Active since at least December 2020, the group is thought to be sophisticated and quick to adapt to changing target environments. ToddyCat is known to target high-profile entities in Europe and Asia. Government, military, and telecommunications entities are among ToddyCat’s victims. ToddyCat is known to use Ninja trojan, Samurai backdoor, and MiniNinja framework.

IOCs

PolySwarm has multiple samples associated with this activity.

 

6eaa33812365865512044020bc4b95079a1cc2ddc26cdadf24a9ff76c81b1746

78faceaf9a911d966086071ff085f2d5c2713b58446d48e0db1ad40974bb15cd

409948cbbeaf051a41385d2e2bc32fc1e59789986852e608124b201d079e5c3c

4d52d40bc7599b784a86a000ff436527babc46c5de737e19ded265416b4977c6

c5d1ee44ec75fc31e1c11fbf7a70ed7ca8c782099abfde15ecaa1b1edaf180ac

da2d9ed632576eca68a0c6d8d5afd383a1d811c369012f0d7fb52cd06da8c9b9

93e9237afaff14c6b9a24cf7275e9d66bc95af8a0cc93db2a68b47cbbca4c347

d94ed414dbfb9bbcba42e3bf2db3b76eb8172b03133d1745d6abcde6f9edbaa7

12a7b9fa57719109b7f5d081cbe032320a59a7d57eef2dcd2cd4fe2b909162dc

a54e0352653146371efd727ca00110577f8e750e92101462e246f99d435b6172

4baa4071a5eedbe0a8afa1059f7732e5cde0433dd0425e075721dd2cdec9d70d

d4bd89ff56b75fc617f83eb858b6dbce7b36376889b07fa0c2417322ca361c30

1428698cc8b31a2c0150065af7b615ef2374ea3438b0a82f2efcff306b43cee6

2ab1121c603b925548a823fa18193896cd24d186e08957393e6a34d697aed782

a8a026d9bda80cc9bdd778a6ea8c88edcb2d657dc481952913bbdb5f2bfc11c9

7418c4d96cb0fe41fc95c0a27d2364ac45eb749d7edbe0ab339ea954f86abf9e

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -t StayinAlive

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog Subscribe to our reports.