A complex chain of infection allows you to stay in the system unnoticed and steal data.
Security company Securonix discovered a new campaign in which hackers use sophisticated methods to infect Windows computers and steal confidential data. The campaign, dubbed DEEP#GOSU, is allegedly linked to the North Korean group Kimsuky.
According to the Securonix report, the multi-stage malware has the following features:
One of the features of the malware is the ability to disguise itself as legitimate traffic by using Dropbox or Google Docs for Command and Control (C2), which makes it invisible to network monitoring, and also allows you to update the program's functionality or download additional modules.
The campaign is based on distributing malicious emails with a ZIP archive that contains a decoy document in PDF format. However, in reality, when the user opens the document, they run a PowerShell script, which then communicates with Dropbox to download and execute additional malicious scripts.
The scripts have the ability to collect data from the victim's computer, including logging keystrokes and monitoring the clipboard, which allows attackers to intercept passwords and other sensitive information.
In addition, to maintain access to and control infected systems, attackers use a variety of techniques, including creating scheduled tasks and scripts that are automatically executed, ensuring a long-term presence in the system without detection.
Interestingly, the Kimsuky group has used similar methods in the past, which highlights the need for increased vigilance on the part of organizations and individuals in protecting their data.
Security company Securonix discovered a new campaign in which hackers use sophisticated methods to infect Windows computers and steal confidential data. The campaign, dubbed DEEP#GOSU, is allegedly linked to the North Korean group Kimsuky.
According to the Securonix report, the multi-stage malware has the following features:
- unobtrusive operation in Windows;
- keystroke logging (keylogging);
- clipboard monitoring;
- performing payloads;
- data exfiltration;
- provide resilience using both remote access software, scheduled tasks, and self-executing PowerShell scripts.
One of the features of the malware is the ability to disguise itself as legitimate traffic by using Dropbox or Google Docs for Command and Control (C2), which makes it invisible to network monitoring, and also allows you to update the program's functionality or download additional modules.
The campaign is based on distributing malicious emails with a ZIP archive that contains a decoy document in PDF format. However, in reality, when the user opens the document, they run a PowerShell script, which then communicates with Dropbox to download and execute additional malicious scripts.
The scripts have the ability to collect data from the victim's computer, including logging keystrokes and monitoring the clipboard, which allows attackers to intercept passwords and other sensitive information.
In addition, to maintain access to and control infected systems, attackers use a variety of techniques, including creating scheduled tasks and scripts that are automatically executed, ensuring a long-term presence in the system without detection.
Interestingly, the Kimsuky group has used similar methods in the past, which highlights the need for increased vigilance on the part of organizations and individuals in protecting their data.
