Attacker establishes persistent access to French business using OpenSSH and Tailscale

A French-speaking attacker, known as "Poisson," targeted a small French automotive business, successfully compromising four machines despite exhibiting novice-level tradecraft. The operation, meticulously documented by Cato Networks, highlights a critical security gap where disabling command-and-control servers does not guarantee an attacker's removal if alternative persistent access methods are established, as reported by The Hacker News.

The attacker utilized a multi-stage in-memory malware chain, including a VBScript stager, a PowerShell loader, and Havoc's Demon agent, to gain initial access. To ensure persistence, "Poisson" escalated privileges using a visible UAC prompt and established a scheduled task with the highest privileges. A keylogger was deployed to capture banking and email credentials. The most significant aspect of the attack was the attacker's installation of OpenSSH Server and Tailscale on a victim's machine, creating a covert access channel independent of the command-and-control server. Even after the Havoc infrastructure went offline, the attacker maintained access through this separate, encrypted mesh network.

This tactic, combined with legitimate tools like RustDesk for a backup channel, underscores the challenge of detecting and remediating threats that leverage authorized software for malicious purposes.

Source: The Hacker News