March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Update – Zero-Day Vulnerability ‘HTTP/2 Rapid Reset’ Exploited to Launch Record-Breaking DDoS Attacks
October 12, 2023
Rewterz Threat Alert – APT Group Gamaredon aka Shuckworm – Active IOCs
October 13, 2023
Rewterz Threat Update – Zero-Day Vulnerability ‘HTTP/2 Rapid Reset’ Exploited to Launch Record-Breaking DDoS Attacks
October 12, 2023
Rewterz Threat Alert – APT Group Gamaredon aka Shuckworm – Active IOCs
October 13, 2023
Severity
High
Analysis Summary
Since 2021, a persistent cyber campaign named “Stayin’ Alive” has been actively targeting high-profile government and telecom entities across Asia. This campaign aims to deploy basic backdoors and loaders as a means to deliver more advanced malware in subsequent stages. Researchers have been monitoring this campaign, which has targeted organizations in countries such as Vietnam, Uzbekistan, Pakistan, and Kazakhstan.
The tools used in the Stayin’ Alive campaign are characterized by their simplicity and a wide range of variations. These tools appear to be disposable and are primarily used to download and execute additional malware payloads. Notably, these tools do not share any clear code similarities with known threat actors and lack significant commonalities among themselves.
One intriguing aspect of this campaign is the overlap in infrastructure with that used by ToddyCat, a threat actor with links to China. ToddyCat has a history of orchestrating cyberattacks against government and military agencies in Europe and Asia since at least December 2020.
The attack chain in Stayin’ Alive starts with spear-phishing emails containing a ZIP file attachment. Within this attachment, a legitimate executable leverages DLL side-loading to load a backdoor named CurKeep using a rogue DLL named dal_keepalives.dll.
CurKeep is designed to perform several functions, including sending information about the compromised host to a remote server, executing commands sent by the server, and writing server responses to a file on the compromised system.
Further investigation into the command-and-control (C2) infrastructure revealed an evolving set of loader variants, including CurLu, CurCore, and CurLog. These loaders can receive DLL files, execute remote commands, and initiate processes associated with newly generated files, in which data from the server is written.
Additionally, a passive implant named StylerServ was discovered, which listens on various ports (60810, 60811, 60812, 60813, and 60814) to accept remote connections and receive encrypted configuration files.
While there is no definitive evidence linking Stayin’ Alive to ToddyCat, the shared use of similar infrastructure suggests a level of overlap between the two intrusion sets. Notably, both groups use disposable loaders and downloaders, a trend that is increasingly adopted even by sophisticated threat actors. The use of disposable tools makes it challenging to detect and attribute attacks as these tools are frequently replaced and might be developed from scratch, thereby complicating detection and attribution efforts.
“The use of disposable loaders and downloaders, as observed in this campaign, is becoming more common even among sophisticated actors. The use of disposable tools makes both detection and attribution efforts more difficult, as they are replaced often, and possibly written from scratch. This is evident in the “Stayin’ Alive” campaign in which high-profile organizations were targeted with very simple backdoors”, they conclude.
Impact
- Unauthorized Access
Indicators of Compromise
Domain Name
- ns01.nayatel.orinafz.com
- eaq.machineaccountquota.com
- imap.774b884034c450b.com
- admit.pkigoscorp.com
- cyberguard.certexvpn.com
IP
- 70.34.201.229
- 45.77.171.170
- 167.179.91.150
- 207.148.69.74
- 65.20.68.126
- 136.244.111.25
MD5
- 64d7674a4e9e2a973c976fade4e64e82
- b31c32af306d736572263371afbd1802
- ad8f36645796b44ee4e6465c8ad5ead9
- dbe6f9117e0cac23a31b0f871561348a
- dffce9860497d0dccd414ce31e59c058
- b34df10485790ded5e1bf772b832f90e
- 9e737418f7d0f09f22167229853c9eba
- e282d63beeb78fc1ef6f954ab3296669
- e25f061dec65a7d2721f49d24b1187f0
- 5b3d4bd07f4ac158ed8965b717598458
- 753d9f3d05e9f8543e9ebe8c8bc11134
- 507641012e9ce459c448da48549d8609
- 12d7d7c7b0349a3ee3f5b6b9d5b419cd
SHA-256
- 6eaa33812365865512044020bc4b95079a1cc2ddc26cdadf24a9ff76c81b1746
- 78faceaf9a911d966086071ff085f2d5c2713b58446d48e0db1ad40974bb15cd
- 409948cbbeaf051a41385d2e2bc32fc1e59789986852e608124b201d079e5c3c
- 4d52d40bc7599b784a86a000ff436527babc46c5de737e19ded265416b4977c6
- 437cde10797b75ea92b1b68eb887972fe43b434db3ed67b756e01698cce69b4a
- c5d1ee44ec75fc31e1c11fbf7a70ed7ca8c782099abfde15ecaa1b1edaf180ac
- da2d9ed632576eca68a0c6d8d5afd383a1d811c369012f0d7fb52cd06da8c9b9
- 451f87134438fa7e5735a865989072e7bab4858ca0b1e921224ed27dea0226b0
- 93e9237afaff14c6b9a24cf7275e9d66bc95af8a0cc93db2a68b47cbbca4c347
- 482d41c4a2e14ddc072087a1b96f6e34ffda2bfc85819e21f15c97220825e651
- 877579185a72fbaf1afa78d3c50dbab187780d545d5375ba4c29147083176697
- 7418c4d96cb0fe41fc95c0a27d2364ac45eb749d7edbe0ab339ea954f86abf9e
- 778b2526965dc1c4bcc401d0ae92037122e7e7f2c41f042f95b59a7f0fe6f30e
SHA-1
- 8351a715462e211dd1a833fdab6086fb423cd7c5
- f8900a1d6a6868547333cfa5511104201d28ee37
- 8be6d9f79a37c698d94c88820e2f369b50ddc811
- 6939b842bae577f600bdd2d26e443edad66bd8b8
- 71dbd626aed9bc98e4347087be7efe0f7042f5fa
- bd3651da6717b7af4a84b762d963fb8be6839c59
- b201e4d5efe65813b08da9eeb9de0f80e6ae292a
- 4c7005b33dcad81ffcf82841ad7cdf96a022cd8e
- 3202616b92b96ea0e6eff76671eb65f7ac8925bf
- de80ffb1eed36eaaaa2584ee52b6edb6d8a48160
- 561bfe296e786d3d5105871083a10276c5db5e75
- cc631fd2f0b55ab42d50864a550e4319c99354ae
- 81a6126ad454a5e9eeffd410321b17c1c7e27c8a
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Develop and regularly update an incident response plan to ensure a coordinated and efficient response in the event of a cyberattack.
- Implement robust email filtering solutions to detect and filter out phishing emails.
- Utilize anti-phishing tools that can identify and block suspicious email attachments.
- Keep software and operating systems up-to-date to address vulnerabilities that attackers may exploit.
- Segment your network to limit lateral movement for threat actors. Isolate sensitive systems from less critical ones.
- Implement the principle of least privilege (PoLP) to restrict user and system access to only what is necessary for their roles. This limits the potential impact of a breach.
- Deploy EDR solutions that can detect and respond to suspicious or malicious activities on endpoints, including DLL side-loading and other indicators of compromise.
- Maintain detailed logs of network and system activities. Continuously monitor for any anomalies or suspicious behavior.
- Employ intrusion detection and prevention systems (IDS/IPS) to identify and block malicious network traffic.
- Regularly analyze and update defenses against command-and-control (C2) infrastructure changes.
- Ensure strong access control policies and mechanisms are in place to restrict access to critical systems and data.
- Regularly back up critical data and systems, and store backups offline.
- Conduct regular security audits and assessments to identify and rectify vulnerabilities.
- Apply patches promptly to address known vulnerabilities and reduce the attack surface.