In a noteworthy development, a cyber campaign known as “Stayin’ Alive” has been actively targeting prominent government and telecom organizations across Asia since 2021. The campaign, discovered by cybersecurity firm Check Point, is characterized by its deployment of basic backdoors and loaders to deliver more advanced malware in subsequent stages. Key targets of this campaign are located in countries such as Vietnam, Uzbekistan, Pakistan, and Kazakhstan.
Check Point’s report on the campaign emphasizes the relatively simplistic nature of the tools used, which vary widely and appear to serve as disposable components primarily intended for downloading and executing additional malicious payloads. Notably, these tools do not exhibit clear code similarities with known threat actors and lack significant commonalities among themselves.
What sets this campaign apart is the identification of infrastructure overlaps with ToddyCat, a threat actor associated with China, known for conducting cyber operations against government and military entities in Europe and Asia since December 2020.
The attack chain in the “Stayin’ Alive” campaign typically begins with a spear-phishing email containing a ZIP file attachment. This attachment includes a legitimate executable that utilizes DLL side-loading to load a backdoor named CurKeep through a rogue DLL called dal_keepalives.dll, present within the archive.
CurKeep is designed to transmit information about the compromised host to a remote server, execute commands sent from the server, and write server responses to a file on the targeted system.
Further investigation into the campaign’s command-and-control (C2) infrastructure revealed an ever-evolving set of loader variants named CurLu, CurCore, and CurLog. These loaders are proficient in receiving DLL files, executing remote commands, and launching processes related to newly generated files, where server data is written.
Additionally, researchers discovered a passive implant named StylerServ, which listens on five distinct ports (60810, 60811, 60812, 60813, and 60814) to establish remote connections and receive encrypted configuration files.
It is important to note that while there is no conclusive evidence connecting “Stayin’ Alive” to ToddyCat, the shared use of infrastructure and the targeting of similar entities suggest potential similarities between the two campaigns.
The utilization of disposable loaders and downloaders, as observed in this campaign, is an emerging trend even among sophisticated threat actors. These disposable tools pose challenges for both detection and attribution efforts, as they are frequently replaced and possibly developed from scratch.
In a related context, the AhnLab Security Emergency Response Center (ASEC) recently disclosed cyber activities targeting entities in South Korea and Thailand. These attacks involve the deployment of an open-source Go-based backdoor named “BlueShell,” enabling command execution and file download and upload. Some of these intrusions have been attributed to a Chinese hacking group known as Dalbit.
