Carding 4 Carders
Professional
Kazakhstan, Uzbekistan and others – each has its own approach.
Researchers have identified a large-scale campaign called "Stayin Alive", aimed at government organizations and telecommunications companies in a number of Asian countries. According to experts from Check Point Software Technologies, attacks have been carried out since 2021 and to this day by a group of Chinese hackers called Toddycat.
The main victims are located in Kazakhstan, Uzbekistan, Pakistan and Vietnam. Attackers are creative: they often develop unique tools for each victim to make it harder for researchers to link incidents to each other. It also helps you bypass security mechanisms more effectively. The development process takes into account many individual characteristics: the size of the organization, language, region, and so on.
The attack usually starts with a targeted distribution of phishing emails. Attachments contain ZIP archives with digitally signed malicious executable files. These files are disguised as harmless documents: contracts, invoices, commercial offers.
When running malicious code, attackers exploit the vulnerability CVE-2022-23748 in the Audinate Dante Discovery software. This bug allows you to load the CurKeep program unnoticed, bypassing the standard detection tools.
CurKeep is a 10 KB backdoor that establishes a permanent presence in the system, collects data, and waits for commands from hackers.
The attacks also involve various loaders such as CurLu, CurCore, and CurLog. They are used to execute arbitrary code and load additional malicious modules.
One of the most sophisticated tools is the StylerServ backdoor, which discreetly monitors network traffic on five ports (from 60810 to 60814) and downloads the encrypted stylers configuration package.bin with further instructions.
Check Point experts warn that attackers are constantly improving their methods, so the real scale of the company may be much wider.
Despite the differences in the source code of the tools used, all of them are connected to a single management and control infrastructure. The fact that this infrastructure belongs specifically to ToddyCat was previously established by the Kaspersky Lab team.
Researchers have identified a large-scale campaign called "Stayin Alive", aimed at government organizations and telecommunications companies in a number of Asian countries. According to experts from Check Point Software Technologies, attacks have been carried out since 2021 and to this day by a group of Chinese hackers called Toddycat.
The main victims are located in Kazakhstan, Uzbekistan, Pakistan and Vietnam. Attackers are creative: they often develop unique tools for each victim to make it harder for researchers to link incidents to each other. It also helps you bypass security mechanisms more effectively. The development process takes into account many individual characteristics: the size of the organization, language, region, and so on.
The attack usually starts with a targeted distribution of phishing emails. Attachments contain ZIP archives with digitally signed malicious executable files. These files are disguised as harmless documents: contracts, invoices, commercial offers.
When running malicious code, attackers exploit the vulnerability CVE-2022-23748 in the Audinate Dante Discovery software. This bug allows you to load the CurKeep program unnoticed, bypassing the standard detection tools.
CurKeep is a 10 KB backdoor that establishes a permanent presence in the system, collects data, and waits for commands from hackers.
The attacks also involve various loaders such as CurLu, CurCore, and CurLog. They are used to execute arbitrary code and load additional malicious modules.
One of the most sophisticated tools is the StylerServ backdoor, which discreetly monitors network traffic on five ports (from 60810 to 60814) and downloads the encrypted stylers configuration package.bin with further instructions.
Check Point experts warn that attackers are constantly improving their methods, so the real scale of the company may be much wider.
Despite the differences in the source code of the tools used, all of them are connected to a single management and control infrastructure. The fact that this infrastructure belongs specifically to ToddyCat was previously established by the Kaspersky Lab team.
