New PowerShell Threat: Infiltrating Networks with Advanced Techniques

PowerShell Campaign
De-obfuscated Initial PowerShell Script | Image: CRIL

In a recent discovery, Cyble Research and Intelligence Lab (CRIL) detailed a complex, multi-stage PowerShell campaign that employs several advanced techniques to infiltrate networks, maintain persistence, and enable covert communications. According to CRIL, this campaign “begins with a malicious LNK file that triggers the execution of a first-stage remote PowerShell script,” which then establishes persistence on the victim’s system by initiating a sequence of scripts to maintain communication with a command-and-control (C&C) server.

The infection chain, orchestrated through PowerShell, progresses across three stages. The first script creates hidden directories, bypasses Windows security policies, and retrieves the machine’s proxy settings to ensure uninterrupted communication with the C&C server. CRIL notes that “the PowerShell command uses techniques to bypass Windows security mechanisms, such as setting the PowerShell execution policy to ‘Bypass’” to evade detection. In later stages, the scripts introduce random delays and deploy obfuscation techniques to mask their activities, a move designed to fool security monitoring systems.

A key highlight of this campaign is the use of Chisel, a tunneling tool commonly leveraged by cyber actors for lateral movement within networks. According to CRIL, “Chisel has been widely adopted by various threat actorsenabling them to pivot into compromised environments with stealth and efficiency.” By utilizing Chisel, the threat actor (TA) establishes a SOCKS proxy on compromised machines, allowing them to scan internal networks, access otherwise protected systems, and even provide isolated machines with external connectivity to facilitate further malicious downloads.

In addition to Chisel, the campaign’s ability to route traffic through a Netskope proxy obscures C&C traffic, making it “difficult for security teams to identify and block malicious C&C traffic.” Through this sophisticated setup, attackers gain a hidden, flexible pathway into internal networks.

Related Posts: