Asian telecoms in the eye of the storm for ToddyCat hackers

Posted by Relianoid Admin | 10 November, 2023 | Miscelanea

A campaign known as “Stayin’ Alive” has been actively targeting government organizations and telecommunication service providers across Asia since 2021.

Aim of the attack

Employing a diverse array of “disposable” malware to evade detection, the campaign primarily focuses on entities in Kazakhstan, Uzbekistan, Pakistan, and Vietnam, with Check Point, a cybersecurity firm, tracking these activities.

Check Point researchers have noted the use of various custom tools by threat actors in this campaign. These tools are designed to be easily discarded, making it challenging to associate attacks with one another or with known toolsets.

Mode of operation

The attack initiates through spear-phishing emails tailored for specific individuals within key organizations. The emails prompt recipients to open a ZIP file, containing a digitally signed executable file matching the email context and a malicious DLL. This DLL introduces the “CurKeep” malware into the system. CurKeep, a 10kb backdoor, establishes persistence, relays system information to a command-and-control (C2) server, and awaits further instructions.

Beyond CurKeep, the campaign deploys additional tools like CurLu, CurCore, and CurLog loaders, each with distinct functionalities and infection mechanisms. CurCore stands out as it can create files, execute remote commands, and manipulate data.

Another distinct backdoor, ‘StylerServ,’ functions as a passive listener monitoring specific ports for encrypted configuration files. Its exact purpose remains undisclosed but is presumed to serve as a configuration mechanism for other malware components.

The campaign tailors these tools to specific regional targets, utilizing various samples and variants. These identified tools may represent only a segment of a more extensive campaign involving undiscovered tools and attack methods.

Despite the diversity and customization of these tools, they all allegedly connect to the same infrastructure, previously linked to ToddyCat, a group of Chinese cyber spies.

One of the notable malware discovered is ‘Ninja Agent’, equipped with file management and reverse shell capabilities.

ToddyCat also deployed other tools like LoFiSe, Cobalt Strike, DropBox Uploader, and a passive UDP backdoor in these attacks, indicating the breadth and complexity of their operations.

Prevention is a crucial factor

RELIANOID offers cutting-edge solutions designed to preempt and mitigate sophisticated cyber threats like the “Stayin’ Alive” campaign observed across Asia. Leveraging advanced threat intelligence and adaptive security measures, RELIANOID’s platform detects and thwarts diverse, disposable malware used in these attacks by analyzing content inspection and preventing executable files being downloaded. By employing proactive monitoring, behavioral analysis, and customizable security protocols, RELIANOID effectively fortifies networks and systems against such evolving cyber intrusions. Download enterprise ready load balancer and enjoy the Site Reliability Experience.