Researchers have uncovered a new cyberespionage campaign targeting the telecommunications industry and government organizations across Kazakhstan, Uzbekistan, Pakistan, and Vietnam. The campaign, named Stayin Alive, has been active since 2021 and is possibly the work of a Chinese threat actor called ToddyCat.
Infection process
- The campaign employs spear-phishing emails and DLL side-loading to deliver archive files to the victims’ systems.
- Additionally, it exploits a previously-known vulnerability (CVE-2022-23748) in Audinate’s Dante Discovery Software by hijacking dal_keepaliver.dll.
- After successful exploitation, the attackers deploy a variety of downloaders and loaders, which serve as channels for the further execution of additional malicious payloads.
- During the initial discovery of the campaign, a malware downloader called CurKeep was used as part of the infection process.
A trend of similar espionage campaigns
While the campaign remains active, it is interesting to note that similar attacks by Chinese threat actors have been observed in the recent past.
- A report published by Symantec researchers highlighted that the China-linked Emissary Panda (aka Budworm) hacking group used a new version of SysUpdate malware to spy on a Middle Eastern telecom organization and an Asian government.
- In a separate incident, SentinelOne shared details of a well-orchestrated Chinese cyber espionage operation that targeted the telecom industry, finance, and government in the Middle East region. The attack was believed to have been launched by the BackdoorDiplomacy (aka APT15) group.
Conclusion
As the current espionage campaign is primarily executed via spear-phishing emails, it is recommended to refrain from attending to unsolicited emails/messages. Organizations must implement robust email security gateways to prevent the recipients from receiving unwanted email messages. At last, it is advised to update systems and software to their latest versions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/88ad_shutterstock_385509127.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3bac_shutterstock_788198215.jpg)
