Cybercriminals Exploit PoshC2, Chisel, and Classroom Spy in Crafting Their Attack Infrastructure

Recent cybersecurity research from Unit 42, Palo Alto Networks’ threat intelligence team, has uncovered a sophisticated cybercriminal operation targeting financial organizations across Africa.

Dubbed CL-CRI-1014, this threat cluster has been active since at least July 2023, leveraging a blend of open-source and publicly available tools to infiltrate networks, establish persistence, and ultimately sell access to compromised systems on the dark web.

At the heart of these attacks is a consistent playbook involving three primary tools: PoshC2, Chisel, and Classroom Spy.

PoshC2, an open-source attack framework, provides attackers with a flexible platform for executing commands, deploying implants, and maintaining control over compromised environments.

The attackers have been observed using both PowerShell and C# implants, with some payloads packed using a Nim-based packer to evade detection.

Notably, these packed implants are designed to execute only on machines within an Active Directory domain, likely as an analysis measure.

Chisel, another open-source tool, is employed as a tunneling utility to bypass network controls such as firewalls.

By establishing a SOCKS proxy between the victim’s machine and the attacker’s server, Chisel enables stealthy exfiltration and command-and-control (C2) communications.

This technique allows attackers to route traffic through the compromised machine, effectively masking their proper location and activities.

From Remote Administration to Full-Scale Surveillance

The attackers have also incorporated Classroom Spy, a legitimate remote administration tool typically used in educational environments, into their arsenal.

Classroom Spy offers a comprehensive range of surveillance capabilities, including live screen monitoring, keylogging, file collection and deployment, web activity logging, and even access to audio and camera recordings.

To avoid detection, the threat actors often rename Classroom Spy binaries to mimic legitimate system processes, such as “systemsvc.exe,” “vm3dservice.exe,” or “vmtoolsd.exe.”

Installation is typically facilitated via PowerShell scripts that extract and install the software as a service.

To further evade security controls, the attackers forge file signatures and utilize icons from well-known software vendors, including Microsoft, Cortex, and VMware.

This impersonation tactic helps their malicious tools blend in with legitimate applications, making detection more challenging for security teams.

Persistence is established through multiple methods, including creating services, placing shortcuts in the Startup folder, and setting up scheduled tasks, often disguised as legitimate system updates or services.

Protecting Against Advanced Cyber Threats

The CL-CRI-1014 cluster’s operations highlight the growing trend of cybercriminals acting as initial access brokers, specialists who gain network access and sell it to other threat actors.

To counter these threats, organizations are advised to enhance their threat hunting and defensive strategies.

Key recommendations include monitoring for the use of PoshC2, Chisel, and Classroom Spy, scrutinizing file signatures and process names, and leveraging advanced threat intelligence services.

Palo Alto Networks customers benefit from updated protections in Cortex XDR, XSIAM, Advanced WildFire, and Advanced URL/DNS Security, which have been tailored to detect and block the indicators of compromise (IoCs) associated with this activity.

Additionally, the Unit 42 Deep and Dark Web Service provides visibility into emerging risks, helping organizations respond more quickly to potential breaches.

As cybercriminals continue to refine their tactics, staying informed and proactive is essential for safeguarding critical infrastructure and sensitive data.

Organizations are encouraged to contact incident response teams and share threat intelligence to disrupt malicious actors targeting the financial sector and beyond collectively.

Indicators of Compromise

SHA256 Hashes for PoshC2 (Packed)

• 3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c
• 9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f

SHA256 Hashes for Chisel

• bc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f
• 9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4

SHA256 Hashes for Classroom Spy Files

• 831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363
• f5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533