Ongoing Cyber Attacks Targeting Asian Government Entities and Telecom Leaders Uncovered

Prominent government and telecommunications entities in the Asian region have become victims of an ongoing campaign that commenced in 2021. 

This campaign has been strategically engineered to deploy backdoors and loaders to facilitate subsequent malware delivery.

Learn More

Check Point actively monitors and documents this campaign under “Stayin’ Alive.” 

The identified targets primarily comprise organizations in countries such as Vietnam, Uzbekistan, Pakistan, and Kazakhstan.

In a recent report, Check Point noted, 

“The simplicity of the tools utilized, coupled with their diverse range, implies that they are essentially disposable.These tools are predominantly employed for the purpose of downloading and executing additional payloads.”

“Intriguingly, these tools exhibit no discernible code similarities with any products attributable to known threat actors and lack substantial commonalities among themselves.”

What’s Amazing?

One noteworthy aspect of this campaign is the identification of infrastructure overlaps with those employed by ToddyCat, a threat actor affiliated with China, renowned for orchestrating cyberattacks against government and military institutions in Europe and Asia since December 2020.

The attack chains are initiated through spear-phishing emails that contain a ZIP file attachment housing a legitimate executable. 

This executable leverages DLL side-loading to load a backdoor named “CurKeep” by utilizing a rogue DLL named “dal_keepalives.dll” located within the archive. 

“CurKeep is engineered to transmit information about the compromised host to a remote server, execute commands dispatched by the server, and record server responses in a file on the system.”

A comprehensive analysis of the command-and-control (C2) infrastructure has revealed a constantly evolving array of loader variants known as “CurLu,” “CurCore,” and “CurLog.” 

These variants can receive DLL files, execute remote commands, and initiate a process linked to a newly generated file, where data from the server is written.

Find a Connection?

Another discovery is the existence of a passive implant named “StylerServ,” which actively listens on five distinct ports (60810, 60811, 60812, 60813, and 60814). 

This implant is designed to accept remote connections and acquire encrypted configuration files.

Although no definitive evidence exists connecting “Stayin’ Alive” to ToddyCat, the findings highlight that both intrusion sets employ the same infrastructure to target a comparable set of entities.

A look at the latest #ToddyCat activities and why logs matter. IOC and summaries @securelist https://t.co/vuqQgxR6sk pic.twitter.com/X6887EWeg1

— Eugene Kaspersky (@e_kaspersky) October 12, 2023

“The employment of disposable loaders and downloaders, as witnessed in this campaign, is increasingly prevalent even among sophisticated threat actors.”

“The utilization of disposable tools not only renders detection more challenging but also complicates attribution efforts, as these tools are frequently replaced and conceivably developed from scratch.”

Not Sure, But Be Secure!

The recent findings on persistent cyberattacks targeting Asian government organizations and influential telecom companies are a cause for concern. 

The sophistication of these attacks, characterized by the use of disposable tools and a constantly evolving arsenal of loader variants, poses a significant challenge for detection and attribution.

As cybersecurity threats are on the rise, it is crucial for everybody, including Governments, to remain vigilant, adapt their defenses, and collaborate to stay safe.