{
  "name": "Dissecting A Multi-Stage PowerShell Campaign Using Chisel",
  "slug": "dissecting-a-multi-stage-powershell-campaign-using-chisel",
  "description": "A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope proxy for covert communication, enabling lateral movement within compromised networks. The campaign involves three stages of PowerShell scripts, each with specific functions to establish persistence, communicate with the C&C server, and execute received commands. The presence of a Chisel DLL suggests advanced threat actor tactics aimed at prolonged control and evasion, indicating a highly organized or financially motivated operation.",
  "published": "2024-11-12T11:30:07+00:00",
  "created_at": "2024-11-12T11:30:07+00:00",
  "modified_at": "2024-11-12T14:56:48+00:00",
  "created_at_opencti": "2024-11-12T11:30:07+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-11-12",
    "chisel",
    "command and control",
    "lateral movement",
    "lnk file",
    "multi-stage",
    "persistence",
    "powershell"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "163.116.128.80"
      },
      {
        "id": "",
        "name": "https://ligolo.innov-eula.com"
      },
      {
        "id": "",
        "name": "https://c2.innov-eula.com/feibfiuzbdofinza"
      },
      {
        "id": "",
        "name": "https://credit-agricole.webdav.innov-eula.com/"
      },
      {
        "id": "",
        "name": "https://c2.innov-eula.com"
      },
      {
        "id": "",
        "name": "ligolo.innov-eula.com"
      },
      {
        "id": "",
        "name": "credit-agricole.webdev.innov-eula.com"
      },
      {
        "id": "",
        "name": "credit-agricole.webdav.innov-eula.com"
      },
      {
        "id": "",
        "name": "c2.innov-eula.com"
      },
      {
        "id": "",
        "name": "8e812bb7fde8c451d2a5efc1a303f2512804f87f041b1afe2d20046d36e64830"
      },
      {
        "id": "",
        "name": "6c7636e21311a2c5ab024599060d468e03d8975096c0eb923048ad89f372469e"
      },
      {
        "id": "",
        "name": "6332d328a6ddaa8f0c1b3353ee044df18e7867d80a0558823480bd17c14a24bc"
      },
      {
        "id": "",
        "name": "319beca16c766f5b9f8cc4ba25f0b99f1b4769d119eb74dfd694d3f49a23a5b9"
      },
      {
        "id": "",
        "name": "0169283f9df2d7ba84516b3cce50d93dbb6445cc6b2201459fa8a2bc3e319ea3"
      },
      {
        "id": "",
        "name": "c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0"
      },
      {
        "id": "",
        "name": "a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91"
      },
      {
        "id": "",
        "name": "0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:0ffdd6d2c979f0f8",
        "name": "Chisel",
        "slug": "chisel"
      }
    ],
    "attack_patterns": [
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/",
    "https://otx.alienvault.com/pulse/67334a4fa9e1d8d489e1738f"
  ]
}