The Securonix Threat Research (STR) team has identified an elaborate multi-stage attack campaign, dubbed DEEP#GOSU, which is likely associated with the North Korean Kimsuky group. The campaign showcases new code and tactics, techniques, and procedures (TTPs), along with some recycled elements from previous attacks.
The attack chain employed in DEEP#GOSU leverages multiple PowerShell and VBScript stagers to quietly infect systems, focusing on South Korean targets. The later-stage scripts enable the attackers to monitor clipboard, keystroke, and other session activities. The use of a remote access trojan (RAT) software provides full control over the infected hosts, while background scripts ensure persistence and continuous monitoring.
The malware utilizes legitimate services such as Dropbox or Google Docs for command and control (C2) communication, allowing it to blend undetected into regular network traffic. The dynamic nature of these remote sources enables the malware maintainers to update functionalities or deploy additional modules without direct interaction with the system.
The initial infection vector appears to be a malicious email attachment containing a zip file with a disguised shortcut file (LNK). The use of .lnk files is not new, but the methodology behind the code execution in DEEP#GOSU is unique. The shortcut file contains an embedded PDF, which is extracted and presented to the user upon execution, reducing any suspicion of malicious activity.
The DEEP#GOSU campaign also employs AES encryption and cloud services for payload retrieval, indicating a sophisticated level of evasion. Additionally, the use of scheduled tasks and WMI execution suggests a focus on persistence and system enumeration.
The Securonix Threat Research team recommends caution when dealing with unsolicited emails and urges organizations to monitor common malware staging directories. Robust endpoint logging capabilities, including Sysmon and PowerShell logging, are essential for detecting such encrypted and stealthy network communications.
Overall, the DEEP#GOSU campaign represents a sophisticated threat that employs a range of techniques to operate stealthily on Windows systems. The use of legitimate services for C2 communication and dynamic payload execution highlights the evolving nature of cyber threats and the need for vigilant cybersecurity measures.