A sophisticated malware campaign, identified as DEEP#GOSU, has emerged, targeting Windows systems with advanced tactics. Cybersecurity firm Securonix attributes the campaign to the North Korean state-sponsored group, Kimsuky. The malware’s multi-stage approach includes keylogging, data exfiltration, and leveraging legitimate services like Dropbox and Google Docs for command-and-control, posing significant challenges to detection.
DEEP#GOSU’s infection process begins with malicious email attachments containing ZIP archives masquerading as PDF files. These archives embed PowerShell and VBScript scripts, orchestrating a sequence to execute further payloads from actor-controlled Dropbox infrastructure. Notably, the campaign employs TruRat, a remote access trojan, and utilizes VBScript for persistence via Windows Management Instrumentation (WMI) and scheduled tasks.
The malware’s capabilities extend to dynamic retrieval of configuration data from Google Docs, enabling threat actors to modify account information without altering the script itself. Additionally, DEEP#GOSU functions as a backdoor, facilitating continuous communication with a command-and-control server through Dropbox. This enables threat actors to monitor compromised hosts, logging user activity including keystrokes and clipboard content, underscoring the campaign’s espionage objectives.
