A recent attack campaign by one of North Korea’s state-run hacking groups uses a new PowerShell and VBScript-based attack chain that’s initiated from inside LNK files. Multiple attack stages are downloaded from legitimate cloud services and the final payload is an open-source remote access trojan.
“All of the C2 communication is handled through legitimate services such as Dropbox or Google Docs allowing the malware to blend undetected into regular network traffic,” researchers from security firm Securonix said in a report. “Since these payloads were pulled from remote sources like Dropbox, it allowed the malware maintainers to dynamically update its functionalities or deploy additional modules without direct interaction with the system.”
Kimsuky is an advanced persistent threat (APT) group that has been active since at least 2012. It is one of the several cyberespionage and sabotage groups associated with the North Korean government and is believed to be run by the 5th Bureau — Inter-Korean Affairs of the country’s foreign intelligence agency. As a result, compared to other North Korean groups like Lazarus, APT38, and Andariel (Silent Chollima), Kimsuky primarily targets South Korean organizations and individuals.
LNK delivery mechanism
This was also the case in the new campaign analyzed by Securonix which the company dubbed DEEP#GOSU. The attack chain began with phishing emails with a South Korean-themed lure that included .zip attachments. The zip archives contained a file with a double extension IMG_20240214_0001.pdf.lnk masquerading as a PDF. The files were actually Windows link (shortcut) files that contained an embedded PowerShell script that launched the multi-staged attack chain.
The LNK file is over 2MB, which is unusual for a shortcut file, because it has a PDF file appended to itself. The script searches for the exact byte location of the PDF file in the binary, extracts it, launches a new object in memory to hold it, and then uses the PowerShell Start-Process commandlet to execute it. This opens the PDF file in the default PDF viewer on the computer, mimicking the behavior the user would expect.
“What makes this tactic clever is that there is technically no PDF file contained within the initial zip file sent to the victim,” the researchers said. “When the user clicks the PDF lure (shortcut file) they’re immediately presented with a PDF file, thus removing any concern that anything unexpected happened.”
PowerShell payloads leading to RAT
At the same time, the PowerShell script downloads a second payload called ps.bin from a Dropbox URL, decrypts it using the AESDecrypt function, and then executes it. This is yet another PowerShell script that downloads additional payloads from Dropbox. First, it downloads and dynamically loads several .NET assemblies that enable the script to use advanced graphical UI capabilities. These capabilities have been used in the past by malware to take screenshots and record the victim’s computer screen.
Another downloaded payload is a file called r_enc.bin that is a variant of an open-source remote access trojan called TruRat, TutRat, or C# R.A.T., whose agent is usually called TutClient.exe. “Currently this particular RAT software is quite old and likely to be picked up by most antivirus vendors,” the researchers said. “However, given the unique method in which this binary is loaded and executed directly into memory (stage2), it’s likely to skirt some detections.”
More specifically, the method of loading the malicious code directly in memory is known as “fileless” execution because it doesn’t leave any traces on disk making it more difficult for traditional file-based antivirus programs to detect it.
The capabilities of this RAT include keylogging, remote desktop, spying through the microphone and camera, remote command prompt execution, process and file management, hiding different message boxes, menus and desktop items, distributed denial-of-service attacks, and stealing information stored in the built-in password managers of several browsers.
VBScript comes into play
At the same time, the PowerShell script from stage 2 invokes a large string encoded in Base64 which turns out to be VBScript code. This appears to be an alternative payload delivery mechanism because this VBScript code also connects to Dropbox and downloads an additional payload called info_sc.txt that contains even more VBScript code.
This new script is quite complex and uses the Windows Management Instrumentation (WMI) API to perform additional actions, including gathering information about the operating system and creating scheduled tasks on the system for persistence. If the OS is older than Windows 10, the script downloads yet another payload from a Dropbox URL, but first uses Google Docs to determine the payload URL.
The VBScript code then drops a PowerShell script on the system. The script is used for period communication with a command-and-control mechanism using Dropbox and to load a final script that acts as a powerful backdoor with keylogging and clipboard monitoring capabilities. “The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint,” the researchers said. “It relied on both PowerShell and VBScript for its execution which interestingly enough used very minimal obfuscation. Each stage was encrypted using AES and a common password and IV which should minimize network, or flat file scanning detections.”