Chinese ‘Stayin’ Alive’ Attacks: Analyzing the Dance of Dumb Malware

Chinese APT Group “ToddyCat” Utilizes Simple but Effective Tactics in Cyber Espionage

Chinese advanced persistent threat (APT) groups have long been known for their sophisticated cyber espionage techniques. However, one particular group called “ToddyCat” is challenging this norm by employing a constantly evolving set of custom-developed, yet surprisingly simple, backdoors and loaders to compromise telecommunications organizations in Central and Southeast Asia. ToddyCat, believed to be associated with Chinese espionage operations, has recently been observed deploying and discarding cheap malware in its latest campaign named “Stayin’ Alive,” which began at least in 2021.

The Tactics of “Stayin’ Alive” Campaign

ToddyCat’s Stayin’ Alive attacks start with spear-phishing emails that contain archive files. When executed, these archive files exploit a highly critical DLL sideloading vulnerability (CVE-2022-23748) in Dante AV systems software. DLL sideloading is a popular technique among Chinese threat actors, allowing them to drop loaders and downloaders onto targeted devices.

The loaders and downloaders utilized by ToddyCat are not as sophisticated as one would expect from a high-level state-affiliated threat actor. However, they possess basic functionality that accomplishes their initial goals. These tools gather information about infected machines, such as computer name, user name, system info, and directories. Moreover, they enable the execution of any command desired by the attacker through a shell functionality. It is suspected that additional backdoors and modules are deployed via the shell, although further research is needed to confirm.

The Strategy Behind Using Basic Malware

ToddyCat’s choice to use simple and basic malware may initially seem lazy or ineffective, but there is a reasoning behind this approach. According to Sergey Shykevich, threat intelligence group manager at Check Point, “The smaller the tool, the more difficult it is to detect, and also, when it’s a small tool, it’s relatively easy to adjust it to a target.” By utilizing minimalistic malware, ToddyCat minimizes the risk of detection. Additionally, these smaller tools can be quickly adjusted and customized for each target, making them highly adaptable. Furthermore, the low complexity and cost of these tools make it easier for ToddyCat to discard them and develop new samples.

However, the unique aspect of ToddyCat’s strategy lies in the fact that each malware sample has no discernible overlap with known malware families or even with other samples from ToddyCat. This makes it challenging for researchers to identify and track the group’s activities. Shykevich explains, “The small changes mean that you can catch one of them, but it won’t be so straightforward to catch all the others. It will require some additional work.”

The Importance of a Layered Approach for Defense

To defend against such a nimble attacker like ToddyCat, security experts emphasize the need for a layered approach. Shykevich recommends implementing proper email protection to identify malicious attachments as the first line of defense. However, it is crucial to also deploy endpoint detection and response (EDR) solutions that can identify DLL sideloading and malicious shell activity. By adopting a multi-layered approach that combines email security and comprehensive endpoint detection, organizations can enhance their defenses against this type of cyber threat.

Conclusion: Staying Vigilant in the Face of Evolving Threats

The case of ToddyCat serves as a reminder that even threat actors utilizing seemingly simple tactics can cause substantial damage. This incident highlights the need for organizations to remain vigilant and adapt their security strategies to combat the continuously evolving threat landscape. As the digital realm becomes increasingly interconnected, cyber defenses must become equally sophisticated and multi-faceted. By incorporating advanced security measures, organizations can better protect themselves against APT groups like ToddyCat and safeguard sensitive data, intellectual property, and critical infrastructure.