Curkeep

CurKeep is a malware that was first discovered in 2021 as part of an espionage campaign known as "Stayin' Alive". This campaign targeted the telecommunications industry and governments in Vietnam, Uzbekistan, and Kazakhstan. The attack chain began with a spear-phishing email containing a ZIP file attachment. This ZIP file contained a legitimate executable that leveraged DLL side-loading to load a backdoor called CurKeep via a rogue DLL, dal_keepalives.dll, present within the archive. This initial downloader was digitally signed to match the email context and exploited a vulnerability (CVE-2022-23748) in Audinate's Dante Discovery software to side-load the CurKeep malware onto the system. CurKeep is a small-sized backdoor malware, with a payload size of just 10kb. Once installed, it establishes persistence on the breached device and sends system information to the command-and-control (C2) server. It then lies dormant, waiting for commands from the C2 server. Although initially detected in attacks against entities in Vietnam, Uzbekistan, and Kazakhstan, the scope of the campaign using CurKeep is believed to be much wider than initially thought. In addition to CurKeep, numerous other malware loaders and backdoors have been spread by attackers through spear-phishing emails. These include the CurCore payload that enables remote command execution and the StylerServ backdoor that allows port traffic monitoring. These use infrastructure associated with ToddyCat, according to a report by Check Point. Despite its small size, CurKeep contains 26 functions and does not statically compile with any library, demonstrating the sophistication of this malicious software.