Asian telecoms in the eye of the storm for ToddyCat hackers

Posted by Relianoid Admin | 10 November, 2023 | Miscelanea

A campaign known as “Stayin’ Alive” has been actively targeting government organizations and telecommunication service providers across Asia since 2021.

Aim of the attack

Employing a diverse array of “disposable” malware to evade detection, the campaign primarily focuses on entities in Kazakhstan, Uzbekistan, Pakistan, and Vietnam, with Check Point, a cybersecurity firm, tracking these activities.

Check Point researchers have noted the use of various custom tools by threat actors in this campaign. These tools are designed to be easily discarded, making it challenging to associate attacks with one another or with known toolsets.

Mode of operation

The attack initiates through spear-phishing emails tailored for specific individuals within key organizations. The emails prompt recipients to open a ZIP file, containing a digitally signed executable file matching the email context and a malicious DLL. This DLL introduces the “CurKeep” malware into the system. CurKeep, a 10kb backdoor, establishes persistence, relays system information to a command-and-control (C2) server, and awaits further instructions.

Beyond CurKeep, the campaign deploys additional tools like CurLu, CurCore, and CurLog loaders, each with distinct functionalities and infection mechanisms. CurCore stands out as it can create files, execute remote commands, and manipulate data.

Another distinct backdoor, ‘StylerServ,’ functions as a passive listener monitoring specific ports for encrypted configuration files. Its exact purpose remains undisclosed but is presumed to serve as a configuration mechanism for other malware components.

The campaign tailors these tools to specific regional targets, utilizing various samples and variants. These identified tools may represent only a segment of a more extensive campaign involving undiscovered tools and attack methods.

Despite the diversity and customization of these tools, they all allegedly connect to the same infrastructure, previously linked to ToddyCat, a group of Chinese cyber spies.

One of the notable malware discovered is ‘Ninja Agent’, equipped with file management and reverse shell capabilities.

ToddyCat also deployed other tools like LoFiSe, Cobalt Strike, DropBox Uploader, and a passive UDP backdoor in these attacks, indicating the breadth and complexity of their operations.

Prevention is a crucial factor

RELIANOID offers cutting-edge solutions designed to preempt and mitigate sophisticated cyber threats like the “Stayin’ Alive” campaign observed across Asia. Leveraging advanced threat intelligence and adaptive security measures, RELIANOID’s platform detects and thwarts diverse, disposable malware used in these attacks by analyzing content inspection and preventing executable files being downloaded. By employing proactive monitoring, behavioral analysis, and customizable security protocols, RELIANOID effectively fortifies networks and systems against such evolving cyber intrusions. Download enterprise ready load balancer and enjoy the Site Reliability Experience.

SHARE ON:

Related Blogs

Posted by reluser | 15 October 2024
Introduction Achieving and maintaining PCI DSS Compliance can be challenging for organizations of all sizes. It requires a thorough understanding of the payment security framework and diligent implementation of security…
26 LikesComments Off on Ensuring Payment Card Industry Data Security compliance
Posted by reluser | 08 October 2024
Did you know that RELIANOID employs a variety of advanced techniques to enhance performance and scalability for non-connection oriented and real-time services such as UDP (User Datagram Protocol), SIP (Session…
27 LikesComments Off on Ensuring Optimal Performance for Non-Connection Oriented Services with RELIANOID ADC
Posted by reluser | 13 September 2024
Recent incidents, such as the hijacking of accounts belonging to Google-owned security firm Mandiant, serve as stark reminders of the importance of robust security measures, particularly Multi-Factor Authentication (MFA). A…
51 LikesComments Off on Strengthening Digital Security with Multi-Factor Authentication