Curkeep

Malware Profile Updated a month ago
Download STIX
Preview STIX
CurKeep is a malware that was first discovered in 2021 as part of an espionage campaign known as "Stayin' Alive". This campaign targeted the telecommunications industry and governments in Vietnam, Uzbekistan, and Kazakhstan. The attack chain began with a spear-phishing email containing a ZIP file attachment. This ZIP file contained a legitimate executable that leveraged DLL side-loading to load a backdoor called CurKeep via a rogue DLL, dal_keepalives.dll, present within the archive. This initial downloader was digitally signed to match the email context and exploited a vulnerability (CVE-2022-23748) in Audinate's Dante Discovery software to side-load the CurKeep malware onto the system. CurKeep is a small-sized backdoor malware, with a payload size of just 10kb. Once installed, it establishes persistence on the breached device and sends system information to the command-and-control (C2) server. It then lies dormant, waiting for commands from the C2 server. Although initially detected in attacks against entities in Vietnam, Uzbekistan, and Kazakhstan, the scope of the campaign using CurKeep is believed to be much wider than initially thought. In addition to CurKeep, numerous other malware loaders and backdoors have been spread by attackers through spear-phishing emails. These include the CurCore payload that enables remote command execution and the StylerServ backdoor that allows port traffic monitoring. These use infrastructure associated with ToddyCat, according to a report by Check Point. Despite its small size, CurKeep contains 26 functions and does not statically compile with any library, demonstrating the sophistication of this malicious software.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2022-23748
1
CVE-2022-23748 is a software vulnerability, specifically a flaw in the design or implementation of Audinate's Dante Discovery software. This vulnerability allows for malicious exploitation via DLL side-loading schemes, where the affected software, due to its flawed design, loads and executes a malic
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Downloader
Backdoor
Payload
Phishing
Vulnerability
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Toddycathas used
1
ToddyCat is a sophisticated Advanced Persistent Threat (APT) actor, likely Chinese-speaking, that has been active since at least December 2020. It primarily operates in Asia, targeting government entities in Malaysia, Thailand, and Pakistan. In 2022, Kaspersky reported finding ToddyCat actors using
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Curkeep Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a month ago
China-Linked Espionage Groups Target Asian Telecoms
CERT-EU
9 months ago
‘Stayin’ Alive’ cyber espionage campaign targets telecoms, governments in Asia
CERT-EU
9 months ago
ToddyCat hackers use 'disposable' malware to target Asian telecoms
CERT-EU
9 months ago
Researchers Uncover Ongoing Attacks Targeting Asian Governments and Telecom Giants
InfoSecurity-magazine
9 months ago
Chinese APT ToddyCat Targets Asian Telecoms, Governments
CERT-EU
9 months ago
Asian governments, telcos impacted by ToddyCat-linked attack campaign
Securityaffairs
9 months ago
Stayin' Alive campaign targets high-profile Asian government and telecom entities. Is it linked to ToddyCat APT?
Checkpoint
10 months ago
Stayin’ Alive - Targeted Attacks Against Telecoms and Government Ministries in Asia - Check Point Research