Monday, October 7, 2024
HomeCyber AttackStayin’ Alive Hacking Teleco & Government Organizations to Deploy Backdoor

Stayin’ Alive Hacking Teleco & Government Organizations to Deploy Backdoor

Published on

Threat actors target telecoms and government ministries because they house valuable data and infrastructure. 

Telecoms hold sensitive communication records and can disrupt essential services, while government ministries contain classified information, making them attractive targets for the following illicit purposes:-

  • Espionage
  • Financial gain
  • Cyber warfare

Cybersecurity researchers at Check Point have monitored ‘Stayin’ Alive,’ an ongoing campaign since at least 2021, primarily in Asia targeting Telecom and government sectors. 

- Advertisement - EHA

The campaign deploys downloaders and loaders, with one called CurKeep targeting multiple countries, revealing its broader regional focus.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

The campaign’s simple, diverse tools appear disposable for downloading payloads. They lack code similarities but connect to ToddyCat, a Chinese-affiliated threat actor in the region.

Infrastructure Analysis

The investigation began with a September 2022 email to a Vietnamese telecom company uploaded to VirusTotal. 

The email contained a ZIP attachment with legitimate and side-loaded files. Execution involves a simple backdoor called ‘CurKeep,’ maintaining persistence via a scheduled task.

CurKeep infection chain
CurKeep infection chain (Source – CheckPoint)

CurKeep samples used C&C servers with a shared TLS certificate (fd31ea84894d933af323fd64d36910ca0c92af99) across multiple IP addresses, likely tied to the same actor.

Stayin’ Alive shared certificate among IP addresses
Stayin’ Alive shared certificate among IP addresses (Source – CheckPoint)

Additional tools used

Here below, we have mentioned all the additional tools that the threat actors use:-

  • CurLu Loader
  • CurCore
  • CurCore Payload
  • CurLog Loader
  • Old Vietnam Lure

The newly discovered StylerServ sample serves files over high ports using passive listening. Five threads monitor specific ports and, if conditions are met, serve encrypted files like ‘stylers.bin’ during remote connections.

These files appear to include a configuration of several file formats and unidentified DWORDs.

Encrypted and decrypted configs
Encrypted and decrypted configs (Source – CheckPoint)

Countries targeted

Here below, we have mentioned all the countries that the threat actors target:-

  • Vietnam
  • Pakistan
  • Uzbekistan
  • Kazakhstan

The following domains are used by CurLog and CurLu loaders that were previously linked to ToddyCat’s infrastructure, with shared connections to 149.28.28[.]159:-

  • fopingu[.]com
  • rtmcsync[.]com

Sophisticated actors increasingly rely on disposable loaders and downloaders to evade detection and attribution. ‘Stayin’ Alive’ demonstrates this trend, targeting high-profile organizations with basic backdoors.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...