Skip to content Skip to footer

Sophisticated DEEP#GOSU Attack Campaign Uncovered by Securonix

Cybersecurity firm Securonix has discovered a complex, multi-stage attack campaign dubbed DEEP#GOSU, likely linked to the North Korean state-sponsored group Kimsuky. The campaign uses PowerShell and VBScript to infect Windows systems and steal sensitive information.

The utilized in this attack is designed to operate covertly on Windows systems, with features such as keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration. It also uses remote access tools and scheduled tasks for persistence.

One significant aspect of this attack is its use of legitimate services such as Dropbox and Docs for command and control. This allows the attackers to blend in with regular network traffic, update the 's functionality, and deliver additional modules.

The attack begins with a malicious email attachment containing a ZIP archive with a phony PDF file. This file contains a PowerShell and a decoy PDF document. The PowerShell then communicates with a Dropbox infrastructure controlled by the attackers to obtain and execute another PowerShell .

This second-stage downloads a .NET assembly file from Dropbox, which is, in reality, a remote access trojan known as TruRat. This trojan can record keystrokes, manage files, and facilitate remote control. Kimsuky has previously used TruRat in other campaigns.

The PowerShell script also downloads a VBScript from Dropbox, designed to run arbitrary code retrieved from the cloud storage service. This includes another PowerShell script that uses Windows Management Instrumentation (WMI) to execute commands and set up scheduled tasks for persistence.

The VBScript also uses Docs to dynamically retrieve configuration data for the Dropbox connection, enabling the attackers to modify the account information without changing the script itself. The PowerShell script retrieves system information and sends it to Dropbox via a POST request.

Overall, this attack campaign is highly advanced and employs a combination of PowerShell and VBScript to infect and obtain information from Windows systems. Using legitimate services for command-and-control and dynamic configuration retrieval makes identifying and protecting against challenging.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I knew you'd escape. They haven't built a circuit that could hold you!Yori

Deitasoft © 2024. All Rights Reserved.