Novel Script-Based Attack That Leverages PowerShell And VBScript

A new campaign has been identified as DEEP#GOSU is likely linked to the Kimsuky group, and it employs a new script-based attack chain that uses numerous PowerShell and VBScript stagers to stealthily infect systems. 

Its features included data exfiltration, keylogging, clipboard monitoring, dynamic payload execution, and persistence via scheduled activities, self-executing PowerShell scripts using jobs, and RAT software for complete remote access.

“The malware payloads used in the DEEP#GOSU represents a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint”, Securonix Threat Research Team shared with Cyber Security News.

Analysis Of New DEEP#GOSU Attack Campaign

The DEEP#GOSU campaign’s malware most likely gets into the system through standard channels, such as when a user opens a malicious email attachment that contains a zip file with a single file that is disguised by the extension: pdf.lnk

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Given the command’s astounding length, it is evident that the PowerShell that is being performed is capable of carrying out several intricate tasks.

Furthermore, this shortcut file is larger than it first appears, coming in at around 2.2 MB.

pdf.lnk – command line execution

“The embedded PowerShell script contained within the shortcut file is designed to take byte data from itself, which extracts embedded files, AESDecrypt and executes further malicious code downloaded from the internet (/step2/ps.bin) and clean up traces of its execution”, researchers said.

Upon closer inspection, it looks like the shortcut file has an embedded PDF that has been concatenated after tens of thousands of “A” letters.

Those characters could be an attempt to inflate the file size to avoid AV detection.

Consequently, a concatenated PDF file is attached to the shortcut file. The PowerShell code has a clever function that accomplishes several tasks. 

The fact that there isn’t actually a PDF file in the original zip file that is provided to the victim makes this method quite sophisticated. 

The user doesn’t need to worry about anything unexpected happening because they are instantly presented with a PDF file when they click the PDF lure (shortcut file).

The PDF lure document, which is written in Korean, purports to be a statement about the death of Choi Yul’s son, the late CEO of Korean Airlines, in a car accident.

The remainder includes the funeral home’s information and dates.

PDF Lure Document

The PowerShell script that is attached to the shortcut file is intended to locate and silently run the malicious.lnk file that has been specifically crafted, extract and run the embedded PDF lure document, authenticate, decrypt, and run additional malicious code that has been downloaded from Dropbox, and finally remove any evidence of its execution.

Researchers saw the invocation of a lengthy string that was encoded in Base64.

Decoding the text reveals a VBScript code section that is intended to communicate with particular online APIs to establish a connection to Dropbox once more.

VBScript/PowerShell Execution

This campaign uses a combination of previously known TTPs and recycled code, in addition to some novel stagers.

Although the Kimsuky group had previously targeted South Korean victims, it is clear from the tradecraft that the group has switched to utilizing a new script-based attack chain.

Hence, be cautious when responding to unwanted emails, especially if they seem unexpected or urgent, as many malware infections start outside of the company.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *