Recently a sophisticated, multi-layered cyber attack was orchestrated by a faction associated with North Korea against South Korean digital infrastructure.
The North Korea-linked Kimsuky group has refined its cyber tactics, unveiling a sophisticated eight-stage named “DEEP#GOSU”.
The stages of the DEEP#GOSU campaign are as follows:
Initial Contact
The attack is initiated when a user opens a LNK file attached to an email, leading after to the download of malicious PowerShell code from Dropbox.
Code Download
Additional scripts are downloaded from Dropbox, further compromising the system.
Remote Access Trojan Installation
A Trojan, known as TutClient, is installed to provide the attackers with remote access.
Evasion Techniques
The attackers employ methods to avoid detection and ensure their malware remains undetected. Usually by encoding in Base64
Use of Legitimate Services
Dropbox and Google are used to handle command and control (C2) communications, hiding or blending the malicious traffic with regular network activity.
Dynamic Updates
The malware’s functionality can be updated or expanded without direct interaction with the compromised system. Almost like a Software development cycle.
System Monitoring and Control
A script that executes randomly within hours to monitor and control the system.
Activity Monitoring
The final stage involves monitoring user activity by keylogging.
I got to say, this is impressive stuff.
More details and the full thread analysis on Securonix.
Photo by Sora Shimazaki.