CurKeep Backdoor

The custom malware threat known as the CurKeep Backdoor has been identified as a key component in a recently uncovered cyberattack campaign called 'Stayin' Alive.' This ongoing campaign, which began in 2021, has been specifically focused on government organizations and telecommunication service providers in various Asian countries. The attackers behind this campaign employ a diverse range of 'disposable' malware to avoid detection.

Security researchers have observed that a significant portion of the campaign's targets are located in countries such as Kazakhstan, Uzbekistan, Pakistan and Vietnam. The 'Stayin' Alive' campaign is still active and continues to pose a threat.

The cyberattacks associated with this campaign are attributed to the Chinese espionage group referred to as 'ToddyCat.' This group employs spear-phishing messages that carry threatening attachments, which are used to deliver a variety of malware loaders and backdoors.

The CurKeep Backdoor is Deployed through Spear-Phishing Tactics

The researchers have identified a wide array of custom tools employed by threat actors, which they believe are designed to be disposable in order to thwart detection and prevent the linkage of various attacks.

The attack commences with a spear-phishing email, carefully tailored to target specific individuals within critical organizations, urging them to open an attached ZIP file. Within the archive, there exists a digitally signed executable, carefully named to align with the email's context. It also contains a corrupted DLL that exploits a vulnerability (CVE-2022-23748) in Audinate's Dante Discovery software, thereby facilitating the side-loading of the CurKeep malware onto the compromised system.

CurKeep, a lightweight 10kb backdoor, is responsible for establishing persistence on the breached device. It sends system information to the command-and-control (C2) server and then awaits further instructions. This backdoor possesses the ability to exfiltrate a directory list from the victim's Program Files, providing insights into the software installed on the computer. It can execute commands and relay the output to the C2 server, as well as perform file-based tasks according to the directives of its operators.

In addition to CurKeep, the campaign employs other tools, primarily loaders, executed through similar DLL side-loading methods. Noteworthy among them are the CurLu loader, CurCore, and CurLog loader, each equipped with unique functionalities and infection mechanisms.

The 'Stayin' Alive' Cybercrime Operation is Tailored According to the Specific Targets

'Stayin' Alive' employs a range of distinct samples and versions of these loaders and payloads, frequently customized to suit specific regional targets, including language, file names, and thematic elements. The cybersecurity experts believe that the recently uncovered cluster is probably just a part of a larger campaign that encompasses additional undisclosed tools and attack techniques.

Based on the extensive assortment of unique tools utilized in these attacks and their high degree of customization, it is evident that they are designed to be easily discarded. Despite the differences in the code of these tools, they all establish connections with the same infrastructure, which has previously been associated with ToddyCat, a Chinese cyber espionage group.