Threat actors target telecoms and government ministries because they house valuable data and infrastructure.
Telecoms hold sensitive communication records and can disrupt essential services, while government ministries contain classified information, making them attractive targets for the following illicit purposes:-
Cybersecurity researchers at Check Point have monitored ‘Stayin’ Alive,’ an ongoing campaign since at least 2021, primarily in Asia targeting Telecom and government sectors.
The campaign deploys downloaders and loaders, with one called CurKeep targeting multiple countries, revealing its broader regional focus.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
The campaign’s simple, diverse tools appear disposable for downloading payloads. They lack code similarities but connect to ToddyCat, a Chinese-affiliated threat actor in the region.
The investigation began with a September 2022 email to a Vietnamese telecom company uploaded to VirusTotal.
The email contained a ZIP attachment with legitimate and side-loaded files. Execution involves a simple backdoor called ‘CurKeep,’ maintaining persistence via a scheduled task.
CurKeep samples used C&C servers with a shared TLS certificate (fd31ea84894d933af323fd64d36910ca0c92af99) across multiple IP addresses, likely tied to the same actor.
Here below, we have mentioned all the additional tools that the threat actors use:-
The newly discovered StylerServ sample serves files over high ports using passive listening. Five threads monitor specific ports and, if conditions are met, serve encrypted files like ‘stylers.bin’ during remote connections.
These files appear to include a configuration of several file formats and unidentified DWORDs.
Here below, we have mentioned all the countries that the threat actors target:-
The following domains are used by CurLog and CurLu loaders that were previously linked to ToddyCat’s infrastructure, with shared connections to 149.28.28[.]159:-
Sophisticated actors increasingly rely on disposable loaders and downloaders to evade detection and attribution. ‘Stayin’ Alive’ demonstrates this trend, targeting high-profile organizations with basic backdoors.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…
SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…
The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…
Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…
CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…
A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…