Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
Contents
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr:
The Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the North Korean Kimsuky group.
The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated with the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported in the past. While the targeting of South Korean victims by the Kimsuky group happened before, from the tradecraft observed it’s apparent that the group has shifted to using a new script-based attack chain that leverages multiple PowerShell and VBScript stagers to quietly infect systems. The later-stage scripts allow the attackers to monitor clipboard, keystroke, and other session activity.
The threat actors also employed a remote access trojan (RAT) software to allow for full control over the infected hosts, while the background scripts continued to provide …
tldr:
The Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the North Korean Kimsuky group.
The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated with the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported in the past. While the targeting of South Korean victims by the Kimsuky group happened before, from the tradecraft observed it’s apparent that the group has shifted to using a new script-based attack chain that leverages multiple PowerShell and VBScript stagers to quietly infect systems. The later-stage scripts allow the attackers to monitor clipboard, keystroke, and other session activity.
The threat actors also employed a remote access trojan (RAT) software to allow for full control over the infected hosts, while the background scripts continued to provide …
IoC
1617587CCDF5B0344089559ECF8FE7D39F6E07A6A64F74F2B44BFA2C8CB67983
1B75F70C226C9ADA8E79C3FDD987277B0199928800C51E5A1E55FF01246701DB
46A5D54C264152CE915792AF31C75824A558AF7D7340D78B34E146D8C6249E79
60666CACDD6806ED05771F32EAA719E3EFD2F4DB55F28A447D383C3EAC1DC72E
69C917EA96DB28DBD5B67073CA0AAC234D25651A849171B45F20979EAFA05A1C
89CAD9A57985CC0AB3B7403A943AD0AA7B167DC7A3C38557417FEDEA67A77B87
B72CAAB78D164637FEA0937D7A94FC470579EC6BB4FA87DADB6F0FA7826E217C
F262588C48D2902992FFD275D2BE6362FE7F02E2F00A44AB8C75AC1A2827C6E9
http://content.dropboxapi.com/2/files/download
http://content.dropboxapi.com/2/files/download/step2/
http://content.dropboxapi.com/2/files/upload
http://gbionet.com/inc/basl/up1/list.php?query=6
http://regard.co.kr
https://content.dropboxapi.com/2/files/download/step2/ad_ps.bin|
https://content.dropboxapi.com/2/files/download/step2/info_ps.bin|
https://content.dropboxapi.com/2/files/download/step2/info_sc.txt
https://content.dropboxapi.com/2/files/download/step2/info_sc.txt|
https://content.dropboxapi.com/2/files/download/step2/ps.bin
https://content.dropboxapi.com/2/files/download/step2/ps.bin|
https://content.dropboxapi.com/2/files/download/step2/r_enc.bin
https://content.dropboxapi.com/2/files/download/step2/r_enc.bin|
[email protected]
1B75F70C226C9ADA8E79C3FDD987277B0199928800C51E5A1E55FF01246701DB
46A5D54C264152CE915792AF31C75824A558AF7D7340D78B34E146D8C6249E79
60666CACDD6806ED05771F32EAA719E3EFD2F4DB55F28A447D383C3EAC1DC72E
69C917EA96DB28DBD5B67073CA0AAC234D25651A849171B45F20979EAFA05A1C
89CAD9A57985CC0AB3B7403A943AD0AA7B167DC7A3C38557417FEDEA67A77B87
B72CAAB78D164637FEA0937D7A94FC470579EC6BB4FA87DADB6F0FA7826E217C
F262588C48D2902992FFD275D2BE6362FE7F02E2F00A44AB8C75AC1A2827C6E9
http://content.dropboxapi.com/2/files/download
http://content.dropboxapi.com/2/files/download/step2/
http://content.dropboxapi.com/2/files/upload
http://gbionet.com/inc/basl/up1/list.php?query=6
http://regard.co.kr
https://content.dropboxapi.com/2/files/download/step2/ad_ps.bin|
https://content.dropboxapi.com/2/files/download/step2/info_ps.bin|
https://content.dropboxapi.com/2/files/download/step2/info_sc.txt
https://content.dropboxapi.com/2/files/download/step2/info_sc.txt|
https://content.dropboxapi.com/2/files/download/step2/ps.bin
https://content.dropboxapi.com/2/files/download/step2/ps.bin|
https://content.dropboxapi.com/2/files/download/step2/r_enc.bin
https://content.dropboxapi.com/2/files/download/step2/r_enc.bin|
[email protected]