A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.

Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it’s likely associated with the North Korean state-sponsored group tracked as Kimsuky.

“The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.

“Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs.”

A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic.

On top of that, the use of such cloud services to stage the payloads allows for updating the functionality of the malware or delivering additional modules.

The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file (“IMG_20240214_0001.pdf.lnk”).

The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script (“ps.bin”).

The second-stage PowerShell script, for its part, fetches a new file from Dropbox (“r_enc.bin”), a .NET assembly file in binary form that’s actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control.

It’s worth noting that Kimsuky has employed TruRat in at least two campaigns uncovered by the AhnLab Security Intelligence Center (ASEC) last year.

Also retrieved by the PowerShell script from Dropbox is a VBScript (“info_sc.txt”), which, in turn, is designed to run arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script (“w568232.ps12x”).

The VBScript is also designed to use Windows Management Instrumentation (WMI) to execute commands on the system, and set up scheduled tasks on the system for persistence.

Another noteworthy aspect of the VBScript is the use of Google Docs to dynamically retrieve configuration data for the Dropbox connection, allowing the threat actor to change the account information without having to alter the script itself.

The PowerShell script downloaded as a result is equipped to gather extensive information about the system and exfiltrate the details via a POST request to Dropbox.

“The purpose of this script appears to be designed to serve as a tool for periodic communication with a command-and-control (C2) server via Dropbox,” the researchers said. “Its main purposes include encrypting and exfiltrating or downloading data.”

In other words, it acts as a backdoor to control the compromised hosts and continuously keep a log of user activity, including keystrokes, clipboard content, and the foreground window.

The development comes as security researcher Ovi Liber detailed North Korea-linked ScarCruft’s embedding of malicious code within Hangul Word Processor (HWP) lure documents present in phishing emails to distribute malware like RokRAT.

“The email contains a HWP Doc which has an embedded OLE object in the form of a BAT script,” Liber said. “Once the user clicks on the OLE object, the BAT script executes which in turn creates a PowerShell-based reflective DLL injection attack on the victims machine.”

It also follows Andariel’s exploitation of a legitimate remote desktop solution called MeshAgent to install malware like AndarLoader and ModeLoader, a JavaScript malware meant for command execution.

“This is the first confirmed use of a MeshAgent by the Andariel group,” ASEC said. “The Andariel Group has been continuously abusing the asset management solutions of domestic companies to distribute malware in the process of lateral movement, starting with Innorix Agent in the past.”

Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the notorious Lazarus Group, actively orchestrating attacks for both cyber espionage and financial gain.

The prolific state-sponsored threat actor has since been observed laundering a chunk of the crypto assets stolen from the hack of crypto exchange HTX and its cross-chain bridge (aka HECO Bridge) through Tornado Cash. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.

“Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges,” Elliptic said. “The stolen funds then lay dormant until March 13, 2024, when the stolen crypto assets began to be sent through Tornado Cash.”

The blockchain analytics firm said that Tornado Cash’s continuation of its operations despite sanctions have likely made it an attractive proposition for the Lazarus Group to conceal its transaction trail following the shutdown of Sinbad in November 2023.

“The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been,” it noted.

Feb 21, 2024NewsroomMalware / Cyber Espionage

The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

“The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter,” Trend Micro researchers Sunny Lu and Pierre Lee said in a new technical write-up.

Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China.

PlugX is a staple tool of Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It’s known to be active since at least 2012, although it first came to light in 2017.

The threat actor’s tradecraft entails carrying out well-forged spear-phishing campaigns that are designed to deploy custom malware. It also has a track record of deploying its own customized PlugX variants such as RedDelta, Thor, Hodur, and DOPLUGS (distributed via a campaign named SmugX) since 2018.

Compromise chains leverage a set of distinct tactics, using phishing messages as a conduit to deliver a first-stage payload that, while displaying a decoy document to the recipient, covertly unpacks a legitimate, signed executable that’s vulnerable to DLL side-loading in order to side-load a dynamic-link library (DLL), which, in turn, decrypts and executes PlugX.

The PlugX malware subsequently retrieves Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to establish a connection with a Mustang Panda-controlled server.

In December 2023, Lab52 uncovered a Mustang Panda campaign targeting Taiwanese political, diplomatic, and governmental entities with DOPLUGS, but with a notable difference.

“The malicious DLL is written in the Nim programming language,” Lab52 said. “This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that use the Windows Cryptsp.dll library.”

DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is orchestrated to download the general type of the PlugX malware.

Trend Micro said it also identified DOPLUGS samples integrated with a module known as KillSomeOne, a plugin that’s responsible for malware distribution, information collection, and document theft via USB drives.

This variant comes fitted with an extra launcher component that executes the legitimate executable to perform DLL-sideloading, in addition to supporting functionality to run commands and download the next-stage malware from an actor-controlled server.

It’s worth noting that a customized PlugX variant, including the KillSomeOne module designed for spreading via USB, was uncovered as early as January 2020 by Avira as part of attacks directed against Hong Kong and Vietnam.

“This shows that Earth Preta has been refining its tools for some time now, constantly adding new functionalities and features,” the researchers said. “The group remains highly active, particularly in Europe and Asia.”

A Chinese-speaking threat actor codenamed GoldFactory has been attributed to the development of highly sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe that’s capable of harvesting identity documents, facial recognition data, and intercepting SMS.

“The GoldPickaxe family is available for both iOS and Android platforms,” Singapore-headquartered Group-IB said in an extensive report shared with The Hacker News. “GoldFactory is believed to be a well-organized Chinese-speaking cybercrime group with close connections to Gigabud.”

Active since at least mid-2023, GoldFactory is also responsible for another Android-based banking malware called GoldDigger and its enhanced variant GoldDiggerPlus as well as GoldKefu, an embedded trojan inside GoldDiggerPlus.

Social engineering campaigns distributing the malware have been found to target the Asia-Pacific region, specifically Thailand and Vietnam, by masquerading as local banks and government organizations.

In these attacks, prospective victims are sent smishing and phishing messages and guided to switch the conversation to instant messaging apps like LINE, before sending bogus URLs that lead to the deployment of GoldPickaxe on the devices.

Some of these malicious apps targeting Android are hosted on counterfeit websites resembling Google Play Store pages or fake corporate websites to complete the installation process.

GoldPickaxe for iOS, however, employs a different distribution scheme, with successive iterations leveraging Apple’s TestFlight platform and booby-trapped URLs that prompt users to download an Mobile Device Management (MDM) profile to grant complete control over the iOS devices and install the rogue app.

Both these propagation mechanisms were disclosed by the Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB), respectively, in November 2023.

The sophistication of GoldPickaxe is also evident in the fact that it’s designed to get around security measures imposed by Thailand that require users to confirm larger transactions using facial recognition to prevent fraud.

“GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application,” security researchers Andrey Polovinkin and Sharmine Low said. “The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services.”

Furthermore, the Android and iOS flavors of the malware are equipped to collect the victim’s ID documents and photos, intercept incoming SMS messages, and proxy traffic through the compromised device. It’s suspected that the GoldFactory actors use their own devices to sign-in to the bank application and perform unauthorized fund transfers.

That having said, the iOS variant exhibits fewer functionalities when compared to its Android counterpart owing to the closed nature of the iOS operating system and relatively stricter nature of iOS permissions.

The Android version – considered an evolutionary successor of GoldDiggerPlus – also poses as over 20 different applications from Thailand’s government, the financial sector, and utility companies to steal login credentials from these services. However, it’s currently not clear what the threat actors do with this information.

Another notable aspect of the malware is its abuse of Android’s accessibility services to log keystrokes and extract on-screen content.

GoldDigger also shares code-level similarities to GoldPickaxe, although it is chiefly designed to steal banking credentials, while the latter is geared more towards gathering of personal information from victims. No GoldDigger artifacts aimed at iOS devices have been identified to date.

“The primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial companies, including their packages’ names in the trojan,” the researchers said. “Whenever the targeted applications open, it will save the text displayed or written on the UI, including passwords, when they are entered.”

The base version of GoldDigger, which was first discovered in June 2023 and continues to be still in circulation, has since paved the way for more upgraded variants, including GoldDiggerPlus, which comes embedded with another trojan APK component dubbed GoldKefu, to unleash the malicious actions.

GoldDiggerPlus is said to have emerged in September 2023, with GoldKefu impersonating a popular Vietnamese messaging app to siphon banking credentials associated with 10 financial institutions.

Goldkefu also integrates with the Agora Software Development Kit (SDK) to facilitate interactive voice and video calls and trick victims into contacting a bogus bank customer service by sending fake alerts that induce a false sense of urgency by claiming that a fund transfer to the tune of 3 million Thai Baht has taken place on their accounts.

If anything, the development is a sign that the mobile malware landscape remains a lucrative market for cybercriminals looking for quick financial gain, even as they find ways to circumvent defensive measures erected by banks to counter such threats. It also demonstrates the ever-shifting and dynamic nature of social engineering schemes that aim to deliver malware to victims’ devices.

To mitigate the risks posed by GoldFactory and its suite of mobile banking malware, it’s strongly advised not to click on suspicious links, install any app from untrusted sites, as they are a common vector for malware, and periodically review the permissions given to apps, particularly those requesting for Android’s accessibility services.

“GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection,” the researchers said. “The team comprises separate development and operator groups dedicated to specific regions.”

“The gang has well-defined processes and operational maturity and constantly enhances its toolset to align with the targeted environment showcasing a high proficiency in malware development.”