A recently discovered and named malware campaign Stayin’ Alivehas been targeting government organizations and telecom service providers across Asia since 2021, using a wide variety of malware “disposable” to evade detection.
Most of the campaign targets identified by the cybersecurity company Check Point they are based in countries such as Kazakhstan, Uzbekistan, Pakistan and Vietnam but, as the action is still ongoing, it is not impossible that other countries are also involved.
The attacks appear to come from a Chinese cyberespionage hacker group known as ToddyCat. The actions of this collective, in most cases, are based on messages from spear phishingthrough which they spread malicious attachments to better manage several loader malware e backdoor.
The researchers explain that threat actors use several different types of customized tools, which they believe are single-use, to help evade detection and prevent linking attacks.
Disposable malware makes the job of security experts difficult
Per Checkpoint “The large set of tools described in this report are custom-made and likely easily discarded. As a result, they show no clear code overlap with any known tool set, not even with each other“.
The attack starts with a spear phishing email designed to target specific individuals in key organizations, inviting them to open a file ZIP attached.
The archive contains a executable digitally signed named to match the context of the email and a Malicious DLL that exploits a vulnerability (CVE-2022-23748) in the software Dante Discovery Of Audinate to sideload malware CurKeep on the system.
CurKeep is a backdoor from 10kb which establishes persistence on the hacked device, sends system information to the command and control server, and then waits for commands from cybercriminals.
The backdoor can extract a directory listing for the victim’s program files, indicating what software is installed on the computer, execute commands and send output to the server, and handle file-based tasks, all depending on the will of the ToddyCat hackers .
In addition to CurKeep, the campaign uses other tools, mainly loaders, mainly executed via methods sideloading of similar DLLs. All this makes these malware even more unpredictable and adaptable to the needs of cybercriminals.