Kaspersky Labs has released a report detailing the activities of the TookPS downloader, a malware strain initially observed in campaigns exploiting the DeepSeek LLM. Further analysis reveals that TookPS’s reach extends beyond just mimicking neural networks, posing a broader threat to both individual users and organizations.
The report highlights the use of fraudulent websites designed to mimic official sources for popular software. These include remote desktop tools like UltraViewer and 3D modeling software such as SketchUp and AutoCAD.
Kaspersky’s telemetry analysis also uncovered malicious files named after legitimate applications like Ableton (music production software) and Quicken (personal finance app), indicating a wide range of potential targets.
The report provides a detailed breakdown of the TookPS infection chain. Upon infiltrating a victim’s device, the TookPS downloader communicates with its command-and-control (C2) server to retrieve a PowerShell script. “Upon infiltrating a victim’s device, the downloader reaches out to its C2 server, whose domain is embedded in its code, to retrieve a PowerShell script“, the report explains.
Notably, different TookPS samples communicate with different C2 domains. For instance, one sample with the MD5 hash 2AEF18C97265D00358D6A77889470960 contacted the domain bsrecov4[.]digital. The downloaded PowerShell script then executes a series of commands to further compromise the infected system.
The malicious PowerShell scripts perform several critical actions:
- They download and execute “sshd.exe”, along with its configuration and RSA key files, from the C2 server.
- They retrieve command-line parameters for “sshd” (remote server address, port, and username) and then run “sshd” to establish an SSH tunnel. As the report states, “This command starts an SSH server, thereby establishing a tunnel between the infected device and the remote server”. This tunnel grants attackers “full system access, allowing for arbitrary command execution”.
- They attempt to download a modified version of the Backdoor.Win32.TeviRat malware, a well-known backdoor, onto the victim’s machine.
- They download Backdoor.Win32.Lapmon.*, although the exact delivery method remains unclear.
The report emphasizes the use of DLL sideloading to deploy the TeamViewer remote access software in a way that conceals malicious activity. “In simple terms, the attackers place a malicious library in the same folder as TeamViewer, which alters the software’s default behavior and settings, hiding it from the user and providing the attackers with covert remote access“, the report clarifies.
The malicious infrastructure used in these attacks primarily relies on domains registered in early 2024 and hosted at a small set of IP addresses. Kaspersky’s analysis also suggests that the attackers have used other malicious tools prior to TookPS, Lapmon, and TeviRat. “This strongly suggests these attackers had used other tools prior to TookPS, Lapmon, and TeviRat“, the report indicates.
