A Chinese cyber espionage group known as ToddyCat has been targeting telecommunications organizations and governments in Central and Southeast Asia since at least 2021 [2] [3]. This campaign, called “Stayin’ Alive,” involves spear-phishing emails containing archive files that exploit a DLL sideloading vulnerability in Audinate’s Dante Discovery software [3].
Description
ToddyCat’s campaign, “Stayin’ Alive,” utilizes spear-phishing emails with archive files that exploit a DLL sideloading vulnerability in Audinate’s Dante Discovery software [3]. The group primarily targets telecommunications organizations and governments in Central and Southeast Asia [1] [2]. CheckPoint Research has identified various loaders and downloaders used as initial infection vectors against high-profile Asian organizations in Kazakhstan [2], Uzbekistan [1] [2], Pakistan [1] [2], and Vietnam [1] [2]. One of these tools [2], called CurKeep [2], is deployed by running a legitimate executable signed by Zoom [2], which loads the dal_keepalives[dot [2]]dll. ToddyCat also employs custom-made tools like CurLu, CurCore [1] [2], and StylerServ for downloading and running additional payloads. These tools are simplistic in nature and likely disposable [2]. Despite the simplicity of their tools, ToddyCat’s activities are difficult to detect and track, although their command-and-control infrastructure is easily identifiable [3].
Conclusion
ToddyCat’s cyber espionage campaign poses a significant threat to telecommunications organizations and governments in Central and Southeast Asia. Their use of spear-phishing emails and exploitation of DLL sideloading vulnerabilities highlights the need for improved email protection and endpoint detection and response. While ToddyCat’s activities may be challenging to detect, their command-and-control infrastructure provides an opportunity for defense and mitigation. A layered approach that includes email protection and endpoint detection and response is recommended to defend against ToddyCat and similar cyber threats.
References
[1] https://thecyberthrone.in/2023/10/12/toddycat-chinese-apt-in-action-with-stayin-alive-campaign/
[2] https://www.infosecurity-magazine.com/news/chinese-apt-toddycat-asian/
[3] https://www.darkreading.com/threat-intelligence/chinese-stayin-alive-attacks-basic-loaders-asian-telcos
