The Cyble Research and Intelligence Lab (CRIL) has recently uncovered a sophisticated multi-stage infection chain, primarily driven by PowerShell scripts. This campaign, which targets organizations through a variety of attack vectors, has been designed to maintain persistence, bypass security measures, and enable further malicious activities.
One of the most interesting findings from this analysis is the utilization of the Chisel tunneling tool, which plays a crucial role in the adversary’s lateral movement and command-and-control (C&C) operations.
Key Takeaways from the PowerShell Campaign
CRIL’s in-depth investigation into this PowerShell-based attack revealed an intricate multi-stage infection process, beginning with a seemingly innocuous LNK file. Once executed, this LNK file triggers the first in a series of obfuscated PowerShell scripts that download additional malicious payloads. Each stage of the infection builds on the last, with the ultimate goal of enabling the threat actor (TA) to maintain a foothold on the compromised system and network.
The use of PowerShell scripts in this campaign highlights the threat actor’s proficiency in leveraging native Windows tools to execute complex attack strategies while evading detection. Additionally, the discovery of a Chisel DLL file suggests that the TA is also using this tool to establish covert tunneling connections, allowing them to bypass firewalls and infiltrate protected internal networks.
The Multi-Stage PowerShell Campaign
The attack begins with a malicious LNK (Windows shortcut) file that serves as the initial infection vector. While the exact delivery mechanism of the LNK file is unclear, once executed, it triggers a PowerShell script that begins the infection process. This script, which is obfuscated to avoid detection, downloads and executes a secondary PowerShell script from a remote server. The aim of this first-stage script is to establish persistence on the victim’s system by setting up further malicious payloads.
Once the first PowerShell script is executed, it drops a second-stage PowerShell script along with several batch files designed to ensure that the infection persists even after a system reboot. The second-stage script maintains communication with the attacker’s C&C server, allowing it to fetch the third and final stage of the infection.
The third-stage PowerShell script is the most complex, continuously communicating with the C&C server to receive a chain of commands. These commands can be used to perform various malicious activities, including data exfiltration, lateral movement within the network, and further payload deployment.
PowerShell and Obfuscation Techniques
A critical component of this attack is the use of PowerShell as the primary tool for executing the attack chain. PowerShell’s powerful capabilities allow the adversary to bypass traditional security mechanisms and remain stealthy. The first PowerShell script, for instance, sets the execution policy to “Bypass,” which allows it to run without being blocked by standard Windows defenses. Additionally, the script is executed in hidden mode, making it invisible to the user.
Second and Third Stages of the Attack
The second-stage PowerShell script maintains communication with the C&C server to retrieve additional malicious payloads. Like the first stage, it decodes and executes these scripts, continuing the infection chain.
In the third stage, the PowerShell script operates with greater complexity. It sets up variables to control its interaction with the C&C server, including $CHAIN for tracking the communication status and $JITTER to introduce random delays to avoid detection by security systems. The script also continues to retrieve system information, such as the hostname, which it Base64-encodes before using it to establish a connection with the server.
At this stage, the script can receive and execute a series of commands from the C&C server. If the command is not a “WAIT” instruction, the script executes the provided PowerShell code. The communication between the infected system and the C&C server is designed to be persistent and stealthy, with data being transferred in small chunks to evade detection by traditional security measures.
Leveraging Chisel for Covert Operations
An intriguing aspect of this campaign is the use of Chisel, a fast TCP/UDP tunneling tool that allows the attacker to establish a secure communication channel over HTTP and bypass firewall restrictions. Chisel is commonly used by threat actors to enable lateral movement within compromised networks and maintain persistence even when traditional communication channels are blocked.
CRIL’s analysis found a Chisel DLL file on the infected system, suggesting that the TA may use Chisel for establishing a tunnel between the compromised machine and the C&C server. This tunnel allows the attacker to communicate with internal systems that are otherwise shielded from external access.
The Chisel tool can be used for a variety of malicious purposes. One of the primary functions is to scan internal networks for additional vulnerable systems. By deploying the Chisel client on a compromised machine, the TA can use it as a SOCKS proxy to bypass network defenses and perform reconnaissance using tools like Nmap.
Once internal systems are identified, the attacker can use Chisel to create a tunnel that enables them to move laterally across the network, gaining access to systems that were previously isolated. Furthermore, the Chisel client allows the attacker to enable internet access for machines that may otherwise be disconnected, enabling them to download additional payloads and maintain control over the compromised network.
Proxying and Evasion Techniques
The campaign also utilizes the Netskope proxy, which helps the attacker obfuscate their C&C communication. By routing traffic through the Netskope proxy, the TA can evade detection by traditional network defenses, such as firewalls and intrusion detection systems. This proxy-based communication provides a flexible and secure method for the TA to interact with the infected network and maintain control over the compromised systems.
The use of Chisel in combination with the Netskope proxy allows the attacker to bypass firewalls, scan internal systems, and exfiltrate data without being detected. This multi-layered approach makes it extremely difficult for defenders to identify and block the attack, as it leverages legitimate tools and proxies to hide malicious activity.
