In a concerning development, high-profile government and telecom entities in Asia have become the targets of an ongoing cyber campaign since 2021. Dubbed “Stayin’ Alive,” this campaign utilizes basic backdoors and loaders to deliver next-stage malware. The attackers have specifically focused on organizations in Vietnam, Uzbekistan, Pakistan, and Kazakhstan, raising alarm bells across the region.
Malware Delivery and Techniques
The perpetrators of the Stayin’ Alive campaign employ simple yet effective techniques for delivering malware. By relying on basic backdoors and loaders, they can easily deliver the next-stage malware to their intended victims. These tools, characterized by their simplicity and disposability, suggest that their purpose is primarily to download and execute additional payloads.
Targeted Organizations
The campaign’s scope is far-reaching, targeting a range of government and telecom entities in the Asian region. The affected countries include Vietnam, Uzbekistan, Pakistan, and Kazakhstan, pointing to a coordinated effort by the threat actors to infiltrate vital sectors.
Connection to ToddyCat Threat Actor
Interestingly, there are notable overlaps between the infrastructure used in the Stayin’ Alive campaign and that of ToddyCat, a China-linked threat actor renowned for targeting government and military agencies. This connection raises concerns, as it indicates a potentially larger campaign orchestrated by a sophisticated threat actor.
Attack Chain
The attack chain employed in the Stayin’ Alive campaign begins with carefully crafted spear-phishing emails. These emails entice unsuspecting targets with ZIP file attachments that seemingly contain legitimate executable files. However, these files leverage DLL side-loading techniques as an initial exploit to initiate the attack.
Analysis of Backdoor (CurKeep)
One of the primary backdoors utilized in this cyber campaign is CurKeep. This backdoor is responsible for collecting and transmitting information about the compromised host to a remote server controlled by the threat actors. Additionally, it can execute commands sent by the server, providing the attackers with remote access and control over the infected system.
Loader Variants
In addition to CurKeep, there are several loader variants identified in the Stayin’ Alive campaign. These variants, including CurLu, CurCore, and CurLog, possess the capability to receive DLL files from remote servers and execute commands on behalf of the threat actors. By utilizing different loaders, the attackers can deploy various malicious payloads to compromise the targeted systems.
Discovery of Passive Implant (StylerServ)
Further investigation into the Stayin’ Alive campaign revealed the presence of a passive implant named StylerServ. This implant operates silently in the background, listening on different ports to accept remote connections from the threat actors. It also serves as a platform for receiving encrypted configuration files, allowing the attackers to customize their approach according to the compromised system’s characteristics.
Difficulties in Detection and Attribution
Attribution and detection efforts in the Stayin’ Alive campaign are marred by the use of disposable tools and loaders. By regularly replacing and potentially rewriting these tools from scratch, the threat actors make it significantly more challenging for cybersecurity experts to identify their origin and track down the perpetrators responsible for the attacks. This enhances their ability to maintain a low profile and evade detection.
The ongoing Stayin’ Alive campaign, targeting high-profile government and telecom entities in Asia, poses a significant threat to regional cybersecurity. The use of basic backdoors, loaders, and passive implants, along with its connections to the ToddyCat threat actor, highlights advanced tactics and potential state-backed involvement. This complex cyber campaign emphasizes the need for enhanced cybersecurity measures and increased vigilance within the targeted sectors to thwart such persistent attacks.