December 7, 2023

Researchers have discovered a new malicious espionage campaign “Stayin’ Alive’” is targeting telecommunications organizations and governments across Central and Southeast Asia tagged to the group ToddyCat.

ToddyCat is a Chinese-affiliated APT group that has been active since at least 2020. The group is known for targeting high-profile organizations in Asia, including telecoms, government agencies, and military contractors. Active since 2021, the campaign leverages spear-phishing emails to deliver archived files using DLL side-loading schemes, hijacking dal_keepalives.dll in Audinate’s Dante Discovery software (CVE-2022-23748).

Advertisements

In this campaign several loaders and downloaders, some were used as initial infection vectors against high-profile Asian organizations in Kazakhstan, Uzbekistan, Pakistan, and Vietnam.

Notably, CurKeep is deployed by running the legitimate executable, signed by Zoom, which loads dal_keepalives.dll and the dll file then loads CurKeep. Other custom-made tools include CurLu, CurCore and StylerServ.

Their infrastructure attributed the campaign to ToddyCat, which likely conducted the Stayin’ Alive campaign as part of a much broader espionage campaign.

Advertisements

The use of disposable loaders and downloaders, as observed in this campaign, is becoming more common even among sophisticated actors. The use of disposable tools makes both detection and attribution efforts more difficult, as they are replaced often, and possibly written from scratch. This is evident in the “Stayin’ Alive” campaign in which high-profile organizations were targeted with very simple backdoors.

This research was documented by researchers from Checkpoint

Indicators of Compromise

  • 6eaa33812365865512044020bc4b95079a1cc2ddc26cdadf24a9ff76c81b1746
  • 78faceaf9a911d966086071ff085f2d5c2713b58446d48e0db1ad40974bb15cd
  • 295b99219d8529d2cd17b71a7947d370809f4e1a3094a74a31da6e30aa39e719
  • 409948cbbeaf051a41385d2e2bc32fc1e59789986852e608124b201d079e5c3c
  • 462c85f6972da64af08f52a4c2f3a03bcd40fdf29b29b01631bff643cd9d906a
  • 4d52d40bc7599b784a86a000ff436527babc46c5de737e19ded265416b4977c6
  • 437cde10797b75ea92b1b68eb887972fe43b434db3ed67b756e01698cce69b4a
  • c5d1ee44ec75fc31e1c11fbf7a70ed7ca8c782099abfde15ecaa1b1edaf180ac
  • da2d9ed632576eca68a0c6d8d5afd383a1d811c369012f0d7fb52cd06da8c9b9
  • 451f87134438fa7e5735a865989072e7bab4858ca0b1e921224ed27dea0226b0
  • 93e9237afaff14c6b9a24cf7275e9d66bc95af8a0cc93db2a68b47cbbca4c347
  • 482d41c4a2e14ddc072087a1b96f6e34ffda2bfc85819e21f15c97220825e651
  • 877579185a72fbaf1afa78d3c50dbab187780d545d5375ba4c29147083176697
  • c4f9bc7624509190e9e2a690daeff5ac9e944f094b51781734b83a364ae038d0
  • d94ed414dbfb9bbcba42e3bf2db3b76eb8172b03133d1745d6abcde6f9edbaa7
  • 732621aa53683c16edf3959dfe9d93de5359c431c130784b31d4a598fbbd80a9
  • 12a7b9fa57719109b7f5d081cbe032320a59a7d57eef2dcd2cd4fe2b909162dc
  • a54e0352653146371efd727ca00110577f8e750e92101462e246f99d435b6172
  • 60030b970491bced72a56c9dde09a1d2260becfbf80a2b0d217a0b913e781c3a
  • 36b4a846d6ed3461e36ed9f4c03fb4548397659ef0a46219695666266eba1652
  • b3fc497f94ac04abc4c9a6f23ab142fdc2387c520ce5c6fdae1b511793bc6ba2
  • caa9fdda2776f681ec294ffeded04723107cf754a2889c3fbb5bc7c743d897c1
  • 4baa4071a5eedbe0a8afa1059f7732e5cde0433dd0425e075721dd2cdec9d70d
  • d4bd89ff56b75fc617f83eb858b6dbce7b36376889b07fa0c2417322ca361c30
  • 47de9bf5f60504c229fe9f727aa59ba5c34d173a23af70822541a9e485abe391
  • 1428698cc8b31a2c0150065af7b615ef2374ea3438b0a82f2efcff306b43cee6
  • 2dfba1cbc0ac1793ffd591c88024fab598a3f6a91756a2ea79f84f1601a0f1ed
  • d33cbdbd6181deb0e8da9c9e6fb8795e98478d9608ab187e5b8809bed6b2e5c4
  • 6f3de35c531993aa307729e2046ff7aa672f5058b7e0fc6557bbd4c500fb46e7
  • 2ab1121c603b925548a823fa18193896cd24d186e08957393e6a34d697aed782
  • 1934ac9067871a61958e3e96ea5daa227900b7683fce67a1bf1c24beff77d75a
  • a8a026d9bda80cc9bdd778a6ea8c88edcb2d657dc481952913bbdb5f2bfc11c9
  • 778b2526965dc1c4bcc401d0ae92037122e7e7f2c41f042f95b59a7f0fe6f30e
  • 7418c4d96cb0fe41fc95c0a27d2364ac45eb749d7edbe0ab339ea954f86abf9e
  • 70[.]34[.]201[.]229
  • 185[.]136[.]163[.]129
  • 45[.]77[.]171[.]170
  • 167[.]179[.]91[.]150
  • 185[.]243[.]112[.]223
  • 207[.]148[.]69[.]74
  • 139[.]180[.]145[.]121
  • 77[.]91[.]75[.]232
  • 178[.]23[.]190[.]206
  • 136[.]244[.]111[.]25
  • 185[.]242[.]85[.]124
  • 45[.]159[.]250[.]179
  • 178[.]23[.]190[.]206
  • 65[.]20[.]68[.]126
  • ns01[.]nayatel[.]orinafz[.]com
  • eaq[.]machineaccountquota[.]com
  • qaq2[.]machineaccountquota[.]com
  • imap[.]774b884034c450b[.]com
  • admit[.]pkigoscorp[.]com
  • update[.]certexvpn[.]com
  • cyberguard[.]certexvpn[.]com
  • gist[.]gitbusercontent[.]com
  • git[.]gitbusercontent[.]com
  • raw[.]gitbusercontent[.]com
  • cert[.]qform3d[.]in
  • admit[.]pkigoscorp[.]com
  • sslvpn[.]pkigoscorp[.]com
  • cdn[.]pkigoscorp[.]com
  • idp[.]pkigoscorp[.]com
  • ad[.]fopingu[.]com
  • proxy[.]rtmcsync[.]com
  • pic[.]rtmcsync[.]com
  • backend[.]rtmcsync[.]com
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Atlassian fixes critical RCE vulnerabilities in its products

December 6, 2023

Microsoft Echo’s on APT 28 exploiting CVE-2023-23397

December 5, 2023

Papercut Privilege Escalation Vulnerability Unearthed

December 5, 2023

DanaBot Trojan Deploying Cactus Ransomware

December 4, 2023

LogoFAIL Firmware Attack

December 3, 2023

Proliance Surgeons Discloses a Data Breach

December 3, 2023
%d