"Stayin’ Alive" Campaign Targets Government & Telecom Organizations in Asia Since 2021

Category: Threat Actor Activity | Industries: Government, Telecommunications | Source: Check Point

Monitoring of a cyber campaign tracked as "Stayin' Alive," by researchers from Check Point Research, reveals an ongoing operation that has been active since at least 2021. This campaign predominantly focuses on the telecommunications industry and government organizations across Asia with primary targets being Vietnam, Uzbekistan, Kazakhstan, and Pakistan. The tools used in the "Stayin' Alive" campaign are described in Check Point's report as simplistic and diverse, suggesting they are "disposable, mostly utilized to download and run additional payloads." Check Point's analysis did not identify any coding overlaps that could directly link the campaign to known threat actors. However, attribution can be inferred from the campaign's infrastructure, suggesting a potential connection to ToddyCat, a Chinese espionage group. This attribution is further substantiated by the fact that ToddyCat operates within the same Asian regions where the campaign is active.

The attack chain often begins with spear-phishing emails delivering archive files using DLL side-loading techniques, even exploiting a vulnerability in Audinate’s Dante Discovery software, CVE-2022-23748. Check Point uncovered the campaign in September 2022, examining an email upload to VirusTotal from a Vietnamese telecommunication company. Analysis of the payloads within the email identified various similarly linked archived files delivering the same backdoor, CurKeep. The threat actors behind this campaign use multiple loaders and downloaders with basic functionality to gain initial access. These loaders and downloaders include CurKeep, CurLu, CurCore, CurLog, StylerServ, and others. Communication with the command and control (C&C) servers is HTTP-based and utilizes the infrastructure and patterns that suggest links to ToddyCat. For attribution, Check Point recognizes the shared infrastructure and nexus between ToddyCat and the actors behind this campaign but is not making a direct attribution to ToddyCat.