DEEP#GOSU Attack Campaign Detection: North Korean Kimsuky APT Is Likely Behind Attacks Using PowerShell and VBScript Malware

The nefarious cyber-espionage North Korean Kimsuky APT group has been in the limelight in the cyber threatscape since at least 2012. A new multi-stage Kimsuky-affiliated offensive campaign tracked as DEEP#GOSU hits the headlines, posing threats to Windows users and leveraging PowerShell and VBScript malware to infect targeted systems. 

Detect DEEP#GOSU Attack Campaign

Last year has been marked by heavily intensifying activity of APT actors, which reflects the direct influence of the existing geo-political tensions on the cyber domain. This time, cyber security experts warn organizations and individual users about an ongoing malicious campaign by the infamous Kimsuky APT increasingly targeting Windows users to obtain extensive stealthy access to the environment in the course of the DEEP#GOSU operation. 

To stay proactive and identify possible intrusions at the earliest stages of their development, cyber defenders require advanced threat detection and hunting solutions paired with behavior-based detection algorithms addressing adversary TTPs. SOC Prime Platform for collective cyber defense offers a broad collection of cutting-edge tools to supercharge your threat investigation while aggregating a dedicated detection stack aimed at DEEP#GOSU detection.

Hit the Explore Detections button below and immediately drill down to a collection of relevant Sigma rules compatible with 28 SIEM, EDR, XDR, and Data Lake solutions. All the rules are mapped to MITRE ATT&CK v14.1 and accompanied by detailed threat intelligence along with extensive metadata. 

Explore Detections

To help security practitioners stay ahead of attacks launched by Kimsuky APT, SOC Prime Platform aggregates a broader selection of rules covering malicious activity associated with the threat actor in the limelight. Just search Threat Detection Marketplace by the “Kimsuky” tag based on the group identifier or follow this link.

DEEP#GOSU Malware Campaign Analysis

Securonix Threat Research team has recently shed light on the ongoing offensive operation identified as DEEP#GOSU, which is highly likely linked to the infamous North Korean Kimsuky group. The affiliated threat actors have been observed in multiple targeted campaigns against South Korea with a strong focus on cyber-espionage activities. 

In the latest campaign, adversaries leverage a novel sophisticated script-based attack chain, employing multiple PowerShell and VBScript stages to covertly infiltrate Windows systems and collect sensitive data. The offensive capabilities involve data exfiltration, keylogging, clipboard monitoring, and dynamic payload execution. Adversaries maintain persistence through scheduled tasks and employ self-triggering PowerShell scripts and RAT software to gain full remote control.

Notably, the infection process relies on legitimate services like Dropbox or Google Docs for C2, enabling adversaries to masquerade their malicious operations within normal network traffic while evading detection. Furthermore, employing these cloud services to host the payloads facilitates the updating of malware functionality or the delivery of supplementary modules.

The infection chain is triggered by opening a weaponized email attachment with a ZIP archive. The latter contains a deceptive shortcut file disguised as a PDF file. The malicious LNK file comes embedded with a PowerShell script alongside a decoy PDF document. The script communicates with a Dropbox infrastructure controlled by attackers to fetch and execute another PowerShell script.

The subsequent PowerShell script retrieves another file from Dropbox. The latter is a binary-form .NET assembly being an an open-source RAT dubbed TruRat (also known as TutRat or C# R.A.T.). In addition to this malware, the PowerShell script also retrieves a harmful VBScript file, which is intended to run commands on the compromised system and establish scheduled tasks for persistence.

Moreover, the VBScript employed in this malware campaign abuses Google Docs to dynamically fetch configuration data for the Dropbox connection. This enables adversaries to modify the account information without altering the script directly. The downloaded PowerShell script can collect comprehensive system information and submit this data via a POST request to Dropbox for exfiltration. It functions as a backdoor, granting control over the compromised hosts while continuously logging user activity.

To minimize the risks and impact of the stealthy malware used in the sophisticated DEEP#GOSU campaign and effectively preempt similar threats, defenders recommend applying best security practices, like avoiding downloading files or attachments from external sources, continuously monitoring the environment for suspicious activity, and enhancing detection coverage. 

With the significant surge in sophisticated attacks by Kimsuky APT, posing a potential threat to organizations in multiple industry sectors, including government entities, defenders are looking for ways to implement preemptive cybersecurity strategies to timely thwart targeted APT intrusions. Leveraging SOC Prime’s Attack Detective, security engineers can elevate the organization’s cybersecurity posture by timely identifying cyber defense blind spots, identifying proper data to collect to address these gaps and optimize SIEM ROI while prioritizing detection procedures before adversaries have a chance to strike.