Rewterz Threat Alert – Windows Users Targeted by New DEEP#GOSU Malware – Active IOCs

Severity

High

Analysis Summary

A new sophisticated attack campaign is distributing DEEP#GOSU malware and targets Windows users in which the attacker employs the attack by using PowerShell and VBScript malware to poison Windows and gather sensitive information.

According to researchers, the new malware is likely to be associated with Kimsuky, a North Korean state-sponsored group. The malware group is using a new script-based attack chain that operates stealthily and infects the system with multiple-staged malware payloads such as keylogging, clipboard monitoring, dynamic payload execution, data exfiltration, and persistence using both RAT software for complete remote access and scheduled tasks for self-execution.

Furthermore, staging the payloads through the cloud services allows malware updates and additional delivery of modules. One of the noticeable features of the malware for the command-and-control process is the usage of legitimate services like Dropbox or Google Docs that enable the threat actor to remain undetected.

The attack is initiated with a malicious email attachment, masquerading as a PDF file containing a ZIP archive holding a rogue shortcut file (.LNK), planted with a PowerShell script that further reaches out to an actor-controlled Dropbox infrastructure to execute and retrieves another PowerShell script. In the second stage, PowerShell gets a newly created file from Dropbox. This file is a .NET assembly file that is an open-source remote access trojan called TruRat that can manage files, record keystrokes, and also allow remote control.

A VBScript is also obtained by PowerShell script from Dropbox. This VBScript is intended to execute any arbitrary VBScript code, obtained through the cloud storage service, including a PowerShell script. VBScript is designed to execute commands on the system and to line up tasks on the system for persistence by using Windows Management Instrumentation (WMI). VBScript also allows the usage of Google Docs to dynamically acquire configuration data for the Dropbox connection, enabling the threat actor to modify the account information by changing or altering the script.

As a result, a PowerShell script is downloaded that can collect a large amount of system information and exfiltrate it to Dropbox using a POST request. The script aimed to serve as a tool for regular communication with the command-and-control server. In a nutshell, it serves as a backdoor to control the infected host and to maintain a log of the user’s activities.

Impact

• Unauthorized Access
• Sensitive Information Theft
• Data Exfiltration

Indicators of Compromise

MD5

• 1e66ac680d0edfe18d97b89e46c7e82e
• 515194ef77fbbe04845de290eefd0049
• e269a6500fbdc750afeb18d2d05f8eea
• eb08ab3854168c834ab154facfe695a3
• 6786bdddb0318e17d56cf08dfc5e91b9
• 2f9125a538d84dd952f72722f28575b8

SHA-256

• f262588c48d2902992ffd275d2be6362fe7f02e2f00a44ab8c75ac1a2827c6e9
• 1617587ccdf5b0344089559ecf8fe7d39f6e07a6a64f74f2b44bfa2c8cb67983
• 46a5d54c264152ce915792af31c75824a558af7d7340d78b34e146d8c6249e79
• 1b75f70c226c9ada8e79c3fdd987277b0199928800c51e5a1e55ff01246701db
• 60666cacdd6806ed05771f32eaa719e3efd2f4db55f28a447d383c3eac1dc72e
• 89cad9a57985cc0ab3b7403a943ad0aa7b167dc7a3c38557417fedea67a77b87

SHA-1

• 10c3dc54cb7417a386cc6fb52ec60c85af1fb0bc
• f7bfda63bf71fca4ab36614993251bbfc2abc4c8
• ea4066919291edbf3bc33a880f86d6e9dc633ddd
• 38bf08bcb887be7d71adbf27743ac5817da46fbe
• 3ff167cb9658c9a8a31ec437657a6ff6105eb91a
• 41c1b3fa3b5a4b1ac4f41f0da29c741b4d5f9db0

URL

• https://content.dropboxapi.com/2/files/download/step2/ps.bin
• https://content.dropboxapi.com/2/files/download/step2/r_enc.bin
• https://content.dropboxapi.com/2/files/download/step2/info_sc.txt
• https://content.dropboxapi.com/2/files/download/step2/info_ps.bin
• https://content.dropboxapi.com/2/files/download/step2/ad_ps.bin

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Deploy advanced threat detection solutions that can identify and analyze suspicious activities, patterns, and behaviors across your network and endpoints. Utilize intrusion detection systems (IDS), intrusion prevention systems (IPS), and next-generation firewalls to proactively monitor and block malicious activities.
• Implement network segmentation to compartmentalize sensitive systems and data.
• Strengthen email security protocols to identify and block phishing attempts. Train employees to recognize suspicious emails and attachments, and employ email filtering technologies to reduce the likelihood of successful spear-phishing attacks.
• Regularly update and patch all software, applications, and operating systems to minimize potential entry points for cyber attackers.
• Enforce MFA across your organization to add an extra layer of security to user accounts and critical systems.
• Deploy advanced endpoint security solutions that offer real-time threat detection and response. This includes antivirus software, endpoint detection and response (EDR) tools, and behavioral analysis to identify suspicious activities.
• Ensure that systems are securely configured and hardened following industry best practices. Disable unnecessary services, ports, and protocols to reduce the attack surface.
• Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a cyber attack. This plan should include communication protocols, roles and responsibilities, and procedures for containing and mitigating the attack.
• Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in your systems and infrastructure.