Dissecting A Multi-Stage PowerShell Campaign Using Chisel
Nov. 12, 2024, 3:56 p.m.
Tags
External References
Description
A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope proxy for covert communication, enabling lateral movement within compromised networks. The campaign involves three stages of PowerShell scripts, each with specific functions to establish persistence, communicate with the C&C server, and execute received commands. The presence of a Chisel DLL suggests advanced threat actor tactics aimed at prolonged control and evasion, indicating a highly organized or financially motivated operation.
Date
Published: Nov. 12, 2024, 12:30 p.m.
Created: Nov. 12, 2024, 12:30 p.m.
Modified: Nov. 12, 2024, 3:56 p.m.
Indicators
8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830
6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e
6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc
319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9
0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
163.116.128.80
https://ligolo.innov-eula.com
https://c2.innov-eula.com/feibfiuzbdofinza
https://credit-agricole.webdav.innov-eula.com/
https://c2.innov-eula.com
ligolo.innov-eula.com
credit-agricole.webdev.innov-eula.com
credit-agricole.webdav.innov-eula.com
c2.innov-eula.com
Attack Patterns
Chisel
T1059.001
T1547.001
T1071.001
T1027