The DEEP#GOSU Campaign's Script-Based Intrusion

A cyber threat campaign dubbed DEEP#GOSU was revealed by researchers from the Securonix Threat Research (STR) team attributing this espionage campaign to the North Korean threat group known as Kimsuky. This potential attribution is based on partly recycled tactics, techniques, and procedures (TTPs), using tools to target South Korean entities. As observed by Securonix by leveraging a script-based attack chain that employs PowerShell and VBScript stagers, attackers discreetly infiltrate systems to monitor clipboard, keystroke, and other session activities. Additionally, the actors deploy a Remote Access Trojan (RAT) for complete control over infected hosts, with all command and control (C2) communications masked through legitimate services like Dropbox or Google Docs to avoid detection.

The DEEP#GOSU campaign commences with phishing emails containing malicious attachments, which upon downloading, initiate the attack through a meticulously crafted .lnk file which measures at 2.2MB. This file contains padding and executes embedded PowerShell scripts to perform several operations, including data decryption and further malicious code execution, all while evading detection by leveraging encryption and cloud services for payload retrieval. Subsequent stages involve invoking code from Dropbox, dynamically loading and executing .NET assembly code, and employing a C# RAT for full remote access and control. These stages reveal a high level of sophistication intended to bypass security measures and maintain a stealthy presence within the infected systems.

Throughout the campaign, DEEP#GOSU utilizes advanced techniques for system enumeration, stealth, persistence, and keylogging. By executing PowerShell scripts to enumerate system information and upload it via Dropbox, the threat actors ensure surveillance capabilities are established on the compromised systems. The scripts also facilitate stealthy operation through mutex-based execution and scheduled tasks to maintain persistence, alongside keylogging and clipboard monitoring functions to log user activity. These actions, combined with the use of encrypted payloads and legitimate cloud services for C2 communications, underscore the campaign's capability to conduct espionage while minimizing detection risk.

For cybersecurity detection engineers, the DEEP#GOSU campaign underscores the importance of monitoring for specific process executions and behaviors indicative of the attack chain, including unusual PowerShell and VBScript activity, suspicious use of Dropbox or Google Docs for data exfiltration, and patterns of system enumeration and persistence mechanisms.