Updated: 2024-11-22 03:13:33 Pacfic
Sophisticated Multi-Stage PowerShell Campaign Leverages Chisel for Covert Operations - 9d
Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated attack campaign employing PowerShell in a multi-stage infection process. The campaign starts with a malicious LNK (shortcut) file that triggers the execution of an obfuscated PowerShell script designed to download and execute additional malicious payloads. This layered approach increases stealth, evades detection, and ensures persistent access to the targeted system. The first stage of the attack involves the LNK file running a remote PowerShell script that establishes persistence by deploying and executing a secondary PowerShell script and batch files. This second-stage script maintains communication with the command-and-control (C&C) server and executes a third-stage PowerShell script. The final stage involves the third PowerShell script sending requests for command chains and executing received commands as directed by the C&C server. The analysis reveals the presence of a Chisel DLL on the remote server, suggesting that the threat actor (TA) leverages the Chisel client for advanced operations, including establishing a SOCKS proxy and facilitating lateral movement within the compromised network.
References:
- arcticwolf.com - Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign - 9d
- attack.mitre.org - Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign - 9d
- github.com - Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign - 9d
- Malware Archives - New PowerShell Threat: Infiltrating Networks with Advanced Techniques - 9d
Classification:
- HashTags: PowerShell Chisel Malware
- Target: Network
- Product: PowerShell
- Feature: Chisel
- Type: Malware
- Severity: Major