Curkeep

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
CurKeep is a malicious software (malware) discovered by researchers, first identified in attacks targeting entities in Vietnam, Uzbekistan, and Kazakhstan. The malware, delivered through spear-phishing emails, begins its infection chain with a ZIP file attachment containing a legitimate executable that exploits DLL side-loading to load the CurKeep backdoor via a rogue DLL named dal_keepalives.dll. This executable, signed by Zoom, initiates the loading of the DLL file, which then loads CurKeep. The malware takes advantage of a vulnerability (CVE-2022-23748) in Audinate's Dante Discovery software to establish itself on the system. The CurKeep malware is a 10kb backdoor that establishes persistence on the infected device and communicates with a command-and-control (C2) server. After sending system information to the C2 server, it remains dormant, awaiting further commands. The initial discovery suggested targeted attacks against specific countries; however, the extent of the campaign is believed to be much broader than initially thought. In addition to CurKeep, attackers have also distributed numerous other malware loaders and backdoors through spear-phishing emails. These include the CurCore payload, enabling remote command execution, and the StylerServ backdoor, allowing port traffic monitoring. These operations are associated with ToddyCat, as indicated in a report by Check Point. Despite its small size, CurKeep contains 26 functions and does not statically compile with any library, demonstrating a sophisticated approach to cyber espionage.
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Downloader
Backdoor
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Curkeep Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
7 months ago
Stayin’ Alive - Targeted Attacks Against Telecoms and Government Ministries in Asia - Check Point Research
CERT-EU
7 months ago
ToddyCat hackers use 'disposable' malware to target Asian telecoms
Securityaffairs
7 months ago
Stayin' Alive campaign targets high-profile Asian government and telecom entities. Is it linked to ToddyCat APT?
CERT-EU
7 months ago
‘Stayin’ Alive’ cyber espionage campaign targets telecoms, governments in Asia
InfoSecurity-magazine
7 months ago
Chinese APT ToddyCat Targets Asian Telecoms, Governments
CERT-EU
7 months ago
Asian governments, telcos impacted by ToddyCat-linked attack campaign
CERT-EU
7 months ago
Researchers Uncover Ongoing Attacks Targeting Asian Governments and Telecom Giants