A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope proxy for covert communication, enabling lateral movement within compromised networks. The campaign involves three stages of PowerShell scripts, each with specific functions to establish persistence, communicate with the C&C server, and execute received commands. The presence of a Chisel DLL suggests advanced threat actor tactics aimed at prolonged control and evasion, indicating a highly organized or financially motivated operation. Author: AlienVault
Related Tags:
multi-stage
lateral movement
command-and-control
LNK file
T1547.001
T1059.001
persistence
T1071.001
powershell
Associated Indicators:
A31F222FC283227F5E7988D1AD9C0AECD66D58BB7B4D8518AE23E110308DBF91
0E2263D4F239A5C39960FFA6B6B688FAA7FC3075E130FE0D4599D5B95EF20647
0169283F9DF2D7BA84516B3CCE50D93DBB6445CC6B2201459FA8A2BC3E319EA3
6332D328A6DDAA8F0C1B3353EE044DF18E7867D80A0558823480BD17C14A24BC
8E812BB7FDE8C451D2A5EFC1A303F2512804F87F041B1AFE2D20046D36E64830
6C7636E21311A2C5AB024599060D468E03D8975096C0EB923048AD89F372469E
319BECA16C766F5B9F8CC4BA25F0B99F1B4769D119EB74DFD694D3F49A23A5B9
E6D06BB9AFAEB8AA80E62E76A26C7CFFD14497F6
BCFAC98117D9A52A3196A7BD041B49D5FF0CFB8C