An elaborate new attack campaign has been observed using PowerShell and VBScript malware to infect Windows systems and collect sensitive information.
Cybersecurity firm Securonix, which dubbed the campaign DEEP#GOSU, said it is likely associated with the North Korean state-sponsored group identified as Kimsuky.
“The malware payloads used in the file DEEP#GOSU represent a sophisticated, multi-stage threat designed to covertly operate on Windows systems, especially from a network monitoring perspective,” security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.
“Its features included keylogging, clipboard monitoring, dynamic payload execution, data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks, and self-executing PowerShell scripts using processes.”
A noteworthy aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command and control (C2), thus allowing the threat actor to integrate undetected into normal network traffic.
Furthermore, using such cloud services to organize payloads allows you to upgrade the functionality of the malware or provide additional modules.
The starting point is said to be a malicious email attachment containing a ZIP archive with an unauthorized link file (.LNK) masquerading as a PDF file (“IMG_20240214_0001.pdf.lnk”).
The .LNK file is embedded with a PowerShell script and a decoy PDF document, with the former also reaching an actor-controlled Dropbox infrastructure to fetch and execute another PowerShell script (“ps.bin”).
The second stage PowerShell script, for its part, retrieves a new file from Dropbox (“r_enc.bin”), a .NET assembly file in binary format that is actually an open source remote access trojan known as TruRat (aka TutRat or C# RAT) with features to record keystrokes, manage files, and facilitate remote control.
It’s worth noting that Kimsuky used TruRat in at least two campaigns discovered by the AhnLab Security Intelligence Center (ASEC) last year.
The Dropbox PowerShell script also retrieves a VBScript (“info_sc.txt”), which, in turn, is designed to execute arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script (“w568232.ps12x”).
VBScript is also designed to use Windows Management Instrumentation (WMI) to run commands on the system and set scheduled tasks on the system for persistence.
Another noteworthy aspect of VBScript is its use of Google Docs to dynamically retrieve configuration data for the Dropbox connection, allowing the threat actor to modify account information without having to alter the script itself.
The PowerShell script downloaded as a result is capable of gathering extensive system information and extracting the details via a POST request to Dropbox.
“The purpose of this script appears to be designed to serve as a tool for periodic communication with a command and control (C2) server via Dropbox,” the researchers said. “Its primary purposes include encryption, exfiltration or downloading of data.”
In other words, it acts as a backdoor to monitor compromised hosts and continuously keep a log of user activity, including keystrokes, clipboard contents, and foreground window.
The development comes as security researcher Ovi Liber detailed North Korea-linked ScarCruft’s embedding of malicious code within the Hangul Word Processor (HWP) that lures documents present in phishing emails to distribute malware like RokRAT.
“The email contains an HWP document that has an embedded OLE object in the form of a BAT script,” Liber said. “Once the user clicks on the OLE object, the BAT script is executed which in turn creates a PowerShell-based reflective DLL injection attack on the victim’s computer.”
It also follows Andariel’s exploitation of a legitimate remote desktop solution called MeshAgent to install malware such as AndarLoader and ModeLoader, a JavaScript malware designed for command execution.
“This is the first confirmed use of a MeshAgent by the Andariel Group,” ASEC said. “The Andariel Group has continuously abused the asset management solutions of domestic companies to distribute malware in the process of lateral movement, starting with Innorix Agent in the past.”
Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the infamous Lazarus Group, which actively orchestrates attacks for both cyber espionage and financial gain.
Since then, the prolific state-sponsored threat actor has been observed laundering a portion of the crypto assets stolen from the hack of the HTX cryptocurrency exchange and its cross-chain bridge (also known as the HECO Bridge) through Tornado Cash. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.
“Following common cryptocurrency laundering schemes, the stolen tokens were immediately exchanged for ETH, using decentralized exchanges,” Elliptic said. “The stolen funds then remained dormant until March 13, 2024, when the stolen crypto assets began to be sent via Tornado Cash.”
The blockchain analytics firm said Tornado Cash’s continuation of its operations despite sanctions likely made it an attractive proposition for Lazarus Group to hide the trail of its transactions after Sinbad’s November 2023 shutdown.
“The mixer works via smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers like Sinbad.io have been,” he noted.