CurKeep Backdoor Targets Communications and Official Entities in Asia
A recently uncovered operation known as "Stayin Alive" has been actively targeting government bodies and telecommunications service providers in Asia since 2021. This campaign employs a diverse range of malware to avoid detection.
The majority of the campaign's targets, according to cybersecurity firm Check Point, are concentrated in countries such as Kazakhstan, Uzbekistan, Pakistan, and Vietnam. The campaign is still ongoing.
The attacks seem to originate from the Chinese espionage group 'ToddyCat,' which relies on spear-phishing messages carrying harmful attachments to load various malware loaders and backdoors. Researchers clarify that the threat actors employ multiple custom tools that they believe are designed for temporary use, designed to elude detection and prevent connections between different attacks.
CurKeep Backdoor Infection Chain
The attack commences with a spear-phishing email meticulously crafted to target specific individuals within critical organizations, coaxing them into opening a attached ZIP file. Contained within the archive is an executable file bearing a digital signature intended to match the email's context, along with a malicious DLL exploiting a vulnerability (CVE-2022-23748) in Audinate's Dante Discovery software. This DLL facilitates the loading of the "CurKeep" malware onto the system.
CurKeep is a backdoor with a tiny filesize of just 10 kilobytes that establishes persistence on the compromised device, transmits system information to the command-and-control (C2) server, and remains ready for commands. This backdoor is capable of exfiltrating a list of directories from the victim's Program Files, revealing the installed software on the computer, executing commands and transmitting the results to the C2 server, and handling file-based tasks in accordance with the operators' instructions.
CurKeep Used Alongside Additional Malicious Tools
In addition to CurKeep, the campaign makes use of other tools, primarily loaders, which are mainly activated through similar DLL side-loading methods. Notable among them are the CurLu loader, CurCore, and CurLog loader, each having distinct functions and methods of infection.
Check Point notes that "Stayin' Alive" deploys various samples and versions of these loaders and payloads, often tailored to specific regional targets, including language, filenames, and themes.
The security company suggests that the newly discovered cluster is likely a part of a more extensive campaign involving additional undisclosed tools and attack strategies. Given the wide array of distinct tools employed in the attacks and their high level of customization, it appears that they are intended to be used for a limited duration.
