A New Script-Based Attack Using VBScript and PowerShell

DEEP#GOSU is a new campaign that has been discovered; it is most likely connected to the Kimsuky organization. It utilizes a new script-based assault chain that infiltrates computers covertly by using many PowerShell and VBScript stagers.

Keylogging, clipboard monitoring, data exfiltration, dynamic payload execution, persistence through scheduled activities, self-executing PowerShell scripts with jobs, and RAT software for total remote access were among its features.

The Securonix Threat Research Team informed Cyber Security News that the malware payloads employed in the DEEP#GOSU reflect a sophisticated, multi-stage threat intended to function covertly on Windows PCs, particularly from a network-monitoring aspect.

Examining the Latest DEEP#GOSU Attack Initiative

The malware associated with the DEEP#GOSU campaign most likely enters the system through common means, including when a user opens a malicious email attachment that contains a zip file containing a single file hidden by the extension pdf.lnk.

It is clear from the command's startling length that the PowerShell being used is capable of handling multiple complex tasks. Additionally, this shortcut file has a bigger size than it appears to be—roughly 2.2 MB.

The researchers stated that the embedded PowerShell script in the shortcut file is intended to collect byte data from the file itself, extract embedded files, AESDecrypt, and run additional malicious code that was obtained from the internet (/step2/ps.bin) as well as remove any evidence that it had been executed.

After tens of thousands of "A" characters, it appears that the shortcut file contains an embedded PDF that has been concatenated. The characters may represent an attempt to spoof the file size to run away from antivirus software.

As a result, the shortcut file has a concatenated PDF file attached. A smart function in the PowerShell code completes multiple jobs. This method is highly complex because the initial zip file that is sent to the victim doesn't contain a PDF file.

After clicking the PDF lure (shortcut file), the user is immediately presented with a PDF file, so they don't have to worry about anything unexpected happening. The PDF enticement document is written in Korean and seems like a statement regarding the vehicle accident that killed Choi Yul's son, the late CEO of Korean Airlines.

Attached to the shortcut file is a PowerShell script that will locate and execute the specially crafted malicious.lnk file silently. Furthermore, it will authenticate, decode, and run additional malicious malware that was downloaded from Dropbox in addition to extracting and running the embedded PDF bait document. Finally, it will remove any proof that it was left behind.

An extensive string that was Base64 encoded was observed to be invoked by researchers. When the text is decoded, a VBScript code section is exposed. This code piece is meant to interact with specific internet APIs to reconnect to Dropbox.

This campaign employs several unique stagers along with recycled code and previously identified TTPs. The tradecraft indicates that the Kimsuky organization has shifted to using a new script-based attack chain, even though the group has previously targeted victims in South Korea.