Summary:
Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated multi-stage infection campaign utilizing PowerShell scripts initiated by a malicious LNK file. The attack employs layered techniques to establish persistence, evade detection, and maintain communication with a command-and-control (C&C) server, ultimately enabling lateral movement within compromised networks.
Keypoints:
- CRIL identified a multi-stage infection campaign using PowerShell.
- The attack begins with a malicious LNK file that triggers a PowerShell script.
- The first-stage script establishes persistence and downloads additional scripts.
- The second-stage script maintains communication with the C&C server.
- The third-stage script executes commands received from the C&C server.
- A Chisel DLL was found, indicating potential use for lateral movement.
- The TA likely uses a Netskope proxy for C&C communication.
- The campaign employs obfuscation techniques to evade detection.
- Recommendations include deploying EDR solutions and training users on phishing awareness.
MITRE Techniques
- Initial Access (TA0027): Phishing (T1660): The campaign starts with a suspicious LNK file that executes a PowerShell script. The script downloads and runs malicious payloads from the C2 server.
- Execution (TA0041): Command and Scripting Interpreter: PowerShell (T1059.001): The PowerShell script executes and downloads additional malicious payloads from a remote server.
- Persistence (TA0028): Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Batch file is dropped in the startup folder.
- Defense Evasion (TA0030): Obfuscated Files or Information (T1027): Use of obfuscated PowerShell scripts and tunneling tools to hide activity from traditional security mechanisms.
- Command and Control (TA0037): Application Layer Protocol: Web Protocols (HTTP/S) (T1071.001): Chisel is used to create a tunnel to the C2 server, allowing further control over the infected system.
IoC:
- 6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e β SHA256 (LNK File)
- 8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830 β SHA256 (Log_29109314.ps1)
- 319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9 β SHA256 (Log_29109318.bat)
- 0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3 β SHA256 (Log_29109317.bat)
- 6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc β SHA256 (Chisel DLL)
- hxxps://ligolo.innov-eula[.]com β Domain
- hxxps://c2.innov-eula[.]com β Domain
- hxxps://c2.innov-eula[.]com/feibfiuzbdofinza β URL
- hxxps://credit-agricole.webdav[.]innov-eula.com β URL
Full Research: https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/