Dissecting A Multi-Stage PowerShell Campaign Using Chisel
Nov. 12, 2024, 3:56 p.m.
Description
A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope proxy for covert communication, enabling lateral movement within compromised networks. The campaign involves three stages of PowerShell scripts, each with specific functions to establish persistence, communicate with the C&C server, and execute received commands. The presence of a Chisel DLL suggests advanced threat actor tactics aimed at prolonged control and evasion, indicating a highly organized or financially motivated operation.
Tags
Date
- Created: Nov. 12, 2024, 12:30 p.m.
- Published: Nov. 12, 2024, 12:30 p.m.
- Modified: Nov. 12, 2024, 3:56 p.m.
Indicators
- 8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830
- 6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e
- 6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc
- 319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9
- 0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3
- c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
- a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
- 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
- 163.116.128.80
- https://ligolo.innov-eula.com
- https://c2.innov-eula.com/feibfiuzbdofinza
- https://credit-agricole.webdav.innov-eula.com/
- https://c2.innov-eula.com
- ligolo.innov-eula.com
- credit-agricole.webdev.innov-eula.com
- credit-agricole.webdav.innov-eula.com
- c2.innov-eula.com
Attack Patterns
- Chisel
- T1059.001
- T1547.001
- T1071.001
- T1027