Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,586
- Points
- 113
Asia's confidential data was compromised after a malicious mailing.
Recent research conducted by Check Point Research has revealed details of the ongoing "Stayin' Alive " campaign, active from at least 2021 and aimed primarily at the telecommunications industry and government entities in Asia. Initial infection vectors target high-profile organizations in the region, including Kazakhstan, Uzbekistan, Pakistan, and Vietnam. Recent analysis has shown that this campaign is part of a broader threat to the region.
The main campaign tools are malware loaders and installers designed to compromise organizations ' systems and exfiltrate data. The study revealed that the campaign toolkit is characterized by ease of use and a wide range of options, which indicates its one-time nature for loading and launching additional payloads and is probably mainly used to gain initial access to systems.
The tools have no obvious links to the development of well-known hacker groups, but they are all linked to the same infrastructure, which, in turn, is associated with ToddyCat, a threat with links to China and operating in the Asian region.
It is important to note that the infection chain begins with a phishing email sent in September 2022 to a Vietnamese telecommunications company, with a ZIP archive attached. The subject line of the email translates as " INSTRUCTIONS FOR MANAGING AND USING IT: USER RULES, which may indicate that the campaign is targeted.
The archive contains two files-an executable file "mDNSResponder.exe", renamed to the subject of the email, and the library loaded by the DLL Sideloading method "dal_keepalives.dll". The download of two files was made possible by exploiting the vulnerability CVE-2022-23748 (CVSS: 7.8) in the Audinate Dante Discovery software.
After installing malicious files, the CurLu Loader, CurCore, and CurLog Loader tools are delivered to devices. Each of them has its own unique methods for infecting and further loading malicious payloads. The main functions of the tools are data exfiltration and persistence establishment.
Additionally, several other tools were found to be used in attacks on the same targets. This indicates that the "Stayin' Alive " campaign is probably a small part of a much larger operation that uses many currently unknown tools and techniques.
Recent research conducted by Check Point Research has revealed details of the ongoing "Stayin' Alive " campaign, active from at least 2021 and aimed primarily at the telecommunications industry and government entities in Asia. Initial infection vectors target high-profile organizations in the region, including Kazakhstan, Uzbekistan, Pakistan, and Vietnam. Recent analysis has shown that this campaign is part of a broader threat to the region.
The main campaign tools are malware loaders and installers designed to compromise organizations ' systems and exfiltrate data. The study revealed that the campaign toolkit is characterized by ease of use and a wide range of options, which indicates its one-time nature for loading and launching additional payloads and is probably mainly used to gain initial access to systems.
The tools have no obvious links to the development of well-known hacker groups, but they are all linked to the same infrastructure, which, in turn, is associated with ToddyCat, a threat with links to China and operating in the Asian region.
It is important to note that the infection chain begins with a phishing email sent in September 2022 to a Vietnamese telecommunications company, with a ZIP archive attached. The subject line of the email translates as " INSTRUCTIONS FOR MANAGING AND USING IT: USER RULES, which may indicate that the campaign is targeted.
The archive contains two files-an executable file "mDNSResponder.exe", renamed to the subject of the email, and the library loaded by the DLL Sideloading method "dal_keepalives.dll". The download of two files was made possible by exploiting the vulnerability CVE-2022-23748 (CVSS: 7.8) in the Audinate Dante Discovery software.
After installing malicious files, the CurLu Loader, CurCore, and CurLog Loader tools are delivered to devices. Each of them has its own unique methods for infecting and further loading malicious payloads. The main functions of the tools are data exfiltration and persistence establishment.
Additionally, several other tools were found to be used in attacks on the same targets. This indicates that the "Stayin' Alive " campaign is probably a small part of a much larger operation that uses many currently unknown tools and techniques.
