Advisory ID: ngCERT-2024-0006
Summary:
Security researchers have revealed a new tactic deployed by cyber criminals to hack Windows systems. The elaborate attack campaign nicknamed DEEP#GOSU, is likely associated with the group tracked as Kimsuky. This campaign is an eight-stage attack chain that employs the use of PowerShell and VBScript malware to infect Windows systems and harvest sensitive information, with implications for data and financial losses. Users of Windows system are therefore advised to take proactive steps provided herein to mitigate the threats.
Damage/Probability: CRTICAL/HIGH
Description:
The malware payloads deployed in the DEEP#GOSU represent a sophisticated, multi-stage attack designed to operate stealthily on Windows systems particularly from a network monitoring perspective. The attack chain involves keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, as well as persistence using both RAT software for complete remote access, scheduled tasks, and self-executing PowerShell scripts via jobs. Notably, the infection procedure leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. Additionally, the use of such cloud services to stage the payloads creates an avenue for the threat actor to update the functionality of the malware, while delivering additional modules.
The starting point of the attack involves the distribution of phishing/malicious email attachments containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script ("ps.bin"). The second-stage PowerShell script, for its part, fetches a new file from Dropbox ("r_enc.bin"), a .NET assembly file in binary form that's actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control. The later stages of the attack install a script that randomly executes in a matter of hours to help monitor and control systems and provide persistence. The final stage monitors user activity through logging keystrokes on the compromised system.
Consequences:
A successful attack could result to the following:
- Data exfiltration.
- Financial losses.
- Denial of Service (DoS).
- Fraudulent activity using compromised accounts.
- Additional breach of other linked account.
- Ransomware attacks.
Solution:
It is therefore recommended that Windows users should:
- Avoid opening suspicious mails.
- Avoid clicking on untrusted links.
- Patch and update software as soon as options are available.
- Avoid downloading files or attachments from external sources, especially if the source was unsolicited.
- Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories in %APPDATA%.
- Deploy robust endpoint logging capabilities.
References:
- https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html/
- https://www.darkreading.com/vulnerabilities-threats/north-korea-linked-group-level-multistage-cyberattack-on-south-korea/
- https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/