Dissecting A Multi-Stage PowerShell Campaign Using Chisel
Essential information
- Published
- 12/11/2024 12:30
- Modified
- 12/11/2024 15:56
- Tags
- 2024-11-12 chisel command and control lateral movement lnk file multi-stage persistence powershell
- Related entities
- 17 observables, 4 techniques (mitre), 1 malware
Description
A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope proxy for covert communication, enabling lateral movement within compromised networks. The campaign involves three stages of PowerShell scripts, each with specific functions to establish persistence, communicate with the C&C server, and execute received commands. The presence of a Chisel DLL suggests advanced threat actor tactics aimed at prolonged control and evasion, indicating a highly organized or financially motivated operation.