Hackers Use DeepSeek and Remote Desktop Apps to Deploy TookPS Malware

A recent investigation by cybersecurity researchers has uncovered a large-scale malware campaign leveraging the DeepSeek LLM and popular remote desktop applications to distribute the Trojan-Downloader.Win32.TookPS malware.

The attackers targeted both individual users and organizations by disguising malicious software as legitimate business tools, including UltraViewer, AutoCAD, and SketchUp.

Malicious Infrastructure and Infection Chain

The TookPS malware campaign begins with fraudulent websites mimicking official download pages for widely used software.

These sites lure victims into downloading compromised files, such as “Ableton.exe” or “QuickenApp.exe,” which are disguised as legitimate applications.

Once installed, the TookPS downloader initiates communication with a command-and-control (C2) server embedded in its code.

This server delivers a series of PowerShell commands designed to download additional malicious payloads.

The infection chain involves three key stages:

1. Payload Delivery: The first PowerShell script downloads an SSH server executable (“sshd.exe”) along with its configuration and RSA key files.
2. Remote Access Setup: The second script configures the SSH server with command-line parameters, enabling attackers to establish a secure tunnel for remote access.
3. Backdoor Deployment: The third script installs a modified version of Backdoor.Win32.TeviRat, which uses DLL sideloading to manipulate TeamViewer software for covert remote access. Additionally, another backdoor, Backdoor.Win32.Lapmon.*, is deployed, although its exact delivery method remains unclear.

By exploiting these tools, attackers gain full control over infected systems, allowing them to execute arbitrary commands and siphon sensitive data.

Leveraging Popular Applications as Lures

The campaign’s success lies in its use of well-known software as bait.

Applications like UltraViewer (a remote desktop tool), AutoCAD (a 3D modeling software), and SketchUp were among the primary targets due to their widespread use in business environments.

According to the Report, this tactic increases the likelihood of victims downloading the malware from seemingly legitimate sources.

Moreover, attackers registered domains resembling official websites, such as “ultraviewer[.]icu” and “autocad-cracked[.]com.”

These domains were hosted on IP addresses linked to other malicious activities dating back to early 2024, suggesting a well-organized operation.

The TookPS malware employs advanced techniques to evade detection and maintain persistence:

• DLL Sideloading: By placing a malicious library alongside legitimate software like TeamViewer, attackers alter its behavior without raising suspicion.
• PowerShell Commands: Base64-encoded scripts ensure that malicious activities remain hidden during execution.
• SSH Tunneling: The use of RSA keys provides secure access for attackers while bypassing traditional security measures.

These methods allow the attackers to operate undetected for extended periods, posing significant risks to both individual users and enterprises.

This campaign highlights the growing sophistication of cybercriminals in targeting critical business tools.

By exploiting trusted applications and leveraging advanced malware delivery techniques, attackers can infiltrate networks with devastating consequences.

To mitigate such threats, users are advised to:

• Avoid downloading software from unverified or pirated sources.
• Regularly update security solutions to detect emerging threats like TookPS.
• Conduct periodic security awareness training for employees to recognize phishing attempts and fraudulent websites.

Organizations should also enforce strict policies against unauthorized software installations and implement robust endpoint protection systems capable of identifying anomalous behavior.

The TookPS campaign serves as a stark reminder of the evolving tactics used by cybercriminals to exploit vulnerabilities in today’s digital landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!