Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware

Securonix Threat Research details a multi-stage DEEP#GOSU campaign that uses a malicious .lnk with embedded PowerShell and a concatenated PDF lure to download further stages from Dropbox, ultimately loading a C# RAT (TutClient) in memory and deploying persistent PowerShell/VBScript stagers. The attack chain performs system enumeration, AES-encrypted data exfiltration to cloud storage, and keylogging/clipboard capture. #DEEPGOSU #Kimsuky #TutClient #Dropbox

Keypoints

Initial infection via a large .lnk shortcut containing an embedded PowerShell payload and a concatenated PDF lure (e.g., IMG_20240214_0001.pdf.lnk) that extracts and displays the PDF while executing hidden code.
Primary C2/payload hosting uses legitimate cloud services (Dropbox, Google Docs) with embedded OAuth tokens to download multiple staged payloads (ps.bin, r_enc.bin, info_sc.txt).
Stage 2 PowerShell (ps.bin) decompresses and dynamically loads .NET assemblies in memory, then downloads and decompresses r_enc.bin which decodes to a C# RAT (TutClient) executed without touching disk.
VBScript stages fetched from Dropbox execute remote code, use WMI and scheduled tasks for persistence, and write a persistent PowerShell script to %APPDATA% (w568232.ps1) for periodic C2 communication.
Enumeration and exfiltration occur via PowerShell: extensive system, file, and user-profile discovery is AES-encrypted and uploaded via Dropbox API calls.
Final stage includes a PowerShell keylogger and clipboard monitor using native Windows APIs (.NET Add-Type, GetAsyncKeyState, GetClipboardSequenceNumber) that saves logs to AppData (version.xml) for later exfiltration.

MITRE Techniques

[T1204.002] User Execution: LNK files – Initial execution via a malicious shortcut file (‘IMG_20240214_0001.pdf.lnk’) that runs embedded PowerShell.
[T1204.001] User Execution: Malicious Link – The lure presents a PDF to the user to mask the malicious activity (‘When the user clicks the PDF lure (shortcut file) they’re immediately presented with a PDF file’).
[T1059.001] Command and Scripting Interpreter: PowerShell – Multiple stages use PowerShell to download, decrypt, decompress, and execute payloads (‘the ps.bin file is actually another PowerShell script’).
[T1059.005] Command and Scripting Interpreter: Visual Basic – VBScript stages download and Execute() remote code from Dropbox (‘The crucial part of this script is the “Execute” statement’).
[T1102] Web Service – C2 and payload retrieval use Dropbox/Google Docs APIs with OAuth tokens to fetch binaries and scripts (‘download/step2/ps.bin’, ‘r_enc.bin’, ‘info_sc.txt’).
[T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – AES-encrypted reconnaissance data is uploaded to Dropbox via POST requests (‘constructs an HTTP POST request to upload encrypted data’).
[T1219] Remote Access Software – The campaign deploys an open-source C# RAT (TutClient/TutRAT) for remote control (‘the decompressed binary file ends up being an open source RAT … TutClient.exe’).
[T1573] Encrypted Channel – OAuth and HTTPS communications are used for C2 and uploads to cloud storage (‘uses this token to authorize an upload to Dropbox’).
[T1047] Windows Management Instrumentation – VBScript includes a WMProc subroutine that uses WMI to execute commands on the system (‘uses WMI to execute commands on the system’).
[T1053] Scheduled Task/Job – The VBScript schedules tasks to maintain persistence (‘Reg subroutine actually schedules a new task’).
[T1082] System Information Discovery – PowerShell stages enumerate processes, firewall status, AV products, user profile directories, drives and files (‘The script enumerates the following items: Running processes … Firewall status … Registered antivirus products’).
[T1083] File and Directory Discovery – Stagers enumerate directories and files across drives and user profiles (‘Directories and files within each accessible drive’).
[T1115] Clipboard Data – Final PowerShell stage monitors and logs clipboard changes using GetClipboardSequenceNumber and [Windows.Clipboard]::GetText() (‘monitor and log changes in the clipboard content’).
[T1056.001] Input Capture: Keylogging – Key capture via GetAsyncKeyState and .NET interop to log keystrokes (‘uses functions such as GetAsyncKeyState to monitor the state of individual keys’).
[T1027] Obfuscated Files or Information – Authors use padding and minimal obfuscation (e.g., long sequence of ‘A’ characters and embedded PDF) to evade detection (‘attached to it after tens of thousands of “A” characters’).
[T1027.010] Command Obfuscation – Large, complex PowerShell command lines and embedded Base64 strings are used to hide intent (‘length of the command is quite impressive … Base64-encoded string’).
[T1070.004] Indicator Removal: File Deletion – Shortcut stage cleans up created files after execution (‘All files are then deleted’).
[T1140] Deobfuscate/Decode Files or Information – Scripts decode Base64 and GZIP payloads to reconstruct executables or scripts (r_enc.bin is ‘From Base64’ and ‘Gunzip’).
[T1132.001] Data Encoding: Standard Encoding – Use of Base64 encoding and gzipped payloads in multiple stages (‘large Base64 encoded string’, ‘GzExtract’).
[T1041] Exfiltration Over C2 Channel – Periodic PowerShell backdoor uploads and downloads data via cloud-backed C2 (‘script acts as a tool for periodic communication with a command and control (C2) server via Dropbox’).

Indicators of Compromise

[C2 URLs] Dropbox-hosted payload and C2 endpoints – https://content.dropboxapi.com/2/files/download/step2/ps.bin, https://content.dropboxapi.com/2/files/download/step2/r_enc.bin (also info_sc.txt, info_ps.bin, ad_ps.bin)
[Domains] Malware staging and fallback hosts – gbionet.com (up1/list.php) used for older payload fetches.
[File names] Lure and persistence artifacts – IMG_20240214_0001.pdf.lnk, c:usersappdataroamingmicrosoftwindowsw568232.ps1, AppDataMicrosoftWindowsThemesversion.xml
[File hashes] Sample hashes for analyzed files – IMG_20240214_0001.pdf.lnk: F262588C48D29029…C6E9, PDF IMG_20240214_0001.pdf: 69C917EA96DB28DB…5A1C (PowerShell file hashes: 60666C…C72E and two more)

The technical execution begins with a malicious .lnk file that embeds a large PowerShell command and a concatenated PDF payload. The .lnk extracts the PDF bytes from specific offsets, writes and opens the PDF to satisfy the user lure, then authenticates to Dropbox (using embedded OAuth parameters) to download a next-stage PowerShell script (ps.bin). This initial script also contains AES decrypt routines and cleans up artifacts after execution.

ps.bin defines a GZIP decompression helper, dynamically loads .NET assemblies in memory, and uses the Dropbox API to fetch r_enc.bin, which is a Base64+GZIP-encoded Windows executable. After decoding and decompressing, the binary is loaded into memory and resolves to a C# RAT (TutClient/TutRAT) executed without being written to disk. Concurrently, large Base64 strings invoked by PowerShell decode to VBScript that downloads info_sc.txt from Dropbox, reads it via a VB Stream into a string, and Execute()s it—enabling arbitrary remote code execution, WMI-based command execution, and scheduled-task persistence depending on OS version.

Subsequent PowerShell stages perform comprehensive system discovery (processes, firewall/AV status, user profile and drive contents), AES-encrypt the collected data, refresh OAuth tokens, and upload the encrypted results to Dropbox. A persistent PowerShell backdoor (w568232.ps1) implements randomized check-in intervals and mutex logic, while a final stage deploys a .NET-based keylogger and clipboard monitor (GetAsyncKeyState, GetClipboardSequenceNumber, [Windows.Clipboard]::GetText()) that appends logs to a local file (version.xml) for exfiltration via the same cloud channels.