Security experts with Check Point Research shared details on an ongoing cyber espionage campaign they track as ‘Stayin’ Alive’ that mainly targets the telecommunications industry and government organizations across Asia.
The operation, which has been ongoing since 2021, consists of mostly downloaders and loaders, some of which were used as an initial infection vector. The first downloader found called ‘CurKeep’, targeted Vietnam, Uzbekistan, and Kazakhstan, however, the campaign is believed to be much wider than first thought.
Although the tools used in this campaign share no clear code overlaps with products created by any known threat actors and do not have much in common with each other, they are all linked to the same set of infrastructure, tied to ToddyCat, a Chinese-affiliated threat actor operating in Asia.
The attack chain starts with a spear-phishing email that contains a ZIP file attachment with a legitimate executable that leverages DLL side-loading to load a backdoor called CurKeep via a rogue DLL dal_keepalives.dll present within the archive.
CurlKeep is able to send information about the compromised host to a remote server, execute commands, and write server responses to a file on the system.
“The functionality of the backdoors and the loaders is very basic and highly variable. This suggests the actors treat them as disposable, and likely mostly use them to gain initial access,” the researchers said.
The threat actor is also leveraging additional tools, mostly loaders such as CurLu, CurCore, and CurLog, as well as the StylerServ backdoor used as a passive listener.
“The use of disposable loaders and downloaders, as observed in this campaign, is becoming more common even among sophisticated actors. The use of disposable tools makes both detection and attribution efforts more difficult, as they are replaced often, and possibly written from scratch,” CheckPoint said.
