March 18, 2024 at 02:33PM
A new complex attack campaign, DEEP#GOSU, employing PowerShell and VBScript malware to infect Windows systems and gather sensitive information has been linked to the North Korean state-sponsored group Kimsuky. The campaign uses legitimate services like Dropbox and Google Docs for command-and-control, and has been observed using methods such as utilizing a malicious email attachment and leveraging cloud services to stage the payloads. The activity coincides with other North Korea-linked cyber threats, including the embedding of malicious code in phishing emails and the exploitation of legitimate remote desktop solutions. Furthermore, the Lazarus Group, to which Kimsuky belongs, has been observed laundering stolen crypto assets through Tornado Cash due to the platform’s resilience against sanctions and its decentralized nature.
The meeting notes detail a sophisticated cyber attack campaign called DEEP#GOSU, associated with the North Korean state-sponsored group Kimsuky. The campaign employs PowerShell and VBScript malware to infect Windows systems for data exfiltration and persistence. Notably, it uses legitimate cloud services like Dropbox and Google Docs for command-and-control, allowing the threat actor to remain undetected. The malware is delivered through malicious email attachments and includes components such as TruRat and utilizes techniques like reflective DLL injection and WMI for executing commands and maintaining persistence. Additionally, the Lazarus Group, specifically Andariel, has been involved in laundering stolen crypto assets through Tornado Cash following a cryptocurrency exchange hack. These threat actors have demonstrated a wide range of sophisticated tactics, underscoring the importance of robust cybersecurity measures.