Attackers are exploiting vulnerable IIS servers to install the BadIIS malware, which is then used to manipulate SEO and redirect users to malicious websites.
Tag: T1059.001
Hunting 4 PhantomCore RAT
The attacker is using spearphishing emails with malicious attachments to deliver malware, which then establishes command and control and collects system information.
The Bear and the Shell
T1566.001 – Procedure: The adversary sent spearphishing emails to individuals and organizations critical of the Russian government, using lures such as NASA job offers and articles from independent Russian media outlets. The emails contained malicious ZIP files with LNK files disguised as PDFs. When opened, these executed a PowerShell script to install a reverse shell.
T1059.001 – Procedure: The LNK file, when opened, executes a PowerShell script that decodes and executes a Base64-encoded command. This command downloads and installs the HTTP-Shell, a multiplatform reverse shell.
T1036 – Procedure: The adversary used a NASA-themed lure and designed the command-and-control server to resemble a legitimate PDF editing site to avoid detection.
T1071.001 – Procedure: The HTTP-Shell uses web protocols (HTTP) to communicate with the command-and-control server, enabling the adversary to send commands and receive data.
T1041 – Procedure: The HTTP-Shell allows the adversary to upload and download files, likely facilitating the exfiltration of data from the victim’s machine over the established command-and-control channel.
Campaign against Russian Opposition
The attacker may use phishing emails with malicious attachments to deliver and execute a malicious tool, such as a reverse shell, on the victim’s machine. The tool will likely use web protocols to communicate with the attacker’s C2 server.
Harnessing Chisel for Covert Operations
The attacker utilizes Chisel, a tunneling tool, to establish a covert communication channel with the C2 server over HTTP. This allows them to bypass firewalls and security measures that might detect traditional C2 traffic.