Recent research by Check Point Research has revealed the details of an ongoing campaign called “Stayin’ Alive.” The campaign, which has been active since at least 2021, primarily targets the telecommunication industry and state structures in Asia. Highly profiled organizations in Kazakhstan, Uzbekistan, Pakistan, and Vietnam are among the initial targets of infection. Further analysis has shown that this campaign is part of a larger threat to the region.
The main tools utilized in the campaign are bootloaders and malicious software installers. These tools are designed to compromise organizations’ systems and facilitate data exfiltration. The research indicates that the campaign tools are user-friendly and offer a wide range of options, suggesting that they are primarily used to gain initial access to systems.
Although the tools used in the campaign do not have direct connections to well-known hacker groups, they are all associated with the same infrastructure, which is linked to Toddycat. Toddycat is a threat that operates in the Asian region and has connections to China.
It is worth noting that the infection chain begins with a phishing email sent in September 2022 to a Vietnamese telecommunication company. The email contains a ZIP archive with two files. The executable file is named “MDNSRESPONDER.EXE,” mimicking the email’s subject, while the DLL Sideloading library is named “Dal_keepalives.dll.” The successful download of these files was made possible by exploiting the vulnerability CVE-2022-23748 in the Audinate Dante Discovery.
Once the malicious files are installed, Curlu Loader, Curcore, and Curlog Loader are delivered to the infected devices. Each of these tools has its own unique methods of infection and further malware loading. Their main functions include data exfiltration and establishing persistence.
Additionally, several other tools used for similar purposes have been discovered in these attacks. This suggests that the “Stayin’ Alive” campaign is likely just a small part of a much larger operation that employs numerous unknown tools and methodologies.