ToddyCat’s Covert Operations: Asian Telecommunication and Government Bodies under Attack

October 14, 2023

Cybersecurity experts at Check Point have uncovered an extensive campaign, named 'Stayin’ Alive', targeting governmental bodies and telecommunication firms in several Asian nations. The campaign, orchestrated by the Chinese hacker group, ToddyCat, has been active since 2021, with the main victims located in Kazakhstan, Uzbekistan, Pakistan, and Vietnam.

The threat actors employ a novel strategy, often creating unique tools specifically designed for each target. This approach not only makes it more challenging for researchers to connect the various incidents but also effectively bypasses security defenses by considering different factors such as the size of the organization, the language spoken, and the region.

The attacks generally begin with targeted phishing email campaigns. The emails come with attached ZIP files that contain malicious executables, which carry digital signatures and are disguised as harmless documents like contracts, invoices, and business proposals.

Once the malicious code is activated, the attackers exploit the CVE-2022-23748 vulnerability present in the Audinate Dante Discovery software. This vulnerability allows the covert upload of the CurKeep program, a mere 10 KB backdoor that establishes a persistent presence within the system, collects data, and waits for commands from the hackers.

The attackers also use loaders such as CurLu, CurCore, and CurLog in these attacks. These tools assist in the execution of arbitrary codes and the upload of additional malicious modules. One of the more advanced tools used is the StylerServ backdoor, which secretly monitors network traffic across five ports (ranging from 60810 to 60814) and downloads an encrypted configuration package, stylers.bin, containing further instructions.

Check Point experts have warned that these attackers continually hone their techniques, suggesting that the actual extent of their operations might be much larger. Despite differences in the source code of the tools used, all connect to a single command and control infrastructure. Kaspersky Lab had previously identified this infrastructure as belonging to ToddyCat.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.