Recent cybersecurity research from Unit 42, Palo Alto Networks’ threat intelligence team, has uncovered a sophisticated cybercriminal operation targeting financial organizations across Africa.
Dubbed CL-CRI-1014, this threat cluster has been active since at least July 2023, leveraging a blend of open-source and publicly available tools to infiltrate networks, establish persistence, and ultimately sell access to compromised systems on the dark web.
At the heart of these attacks is a consistent playbook involving three primary tools: PoshC2, Chisel, and Classroom Spy.
PoshC2, an open-source attack framework, provides attackers with a flexible platform for executing commands, deploying implants, and maintaining control over compromised environments.
The attackers have been observed using both PowerShell and C# implants, with some payloads packed using a Nim-based packer to evade detection.
Notably, these packed implants are designed to execute only on machines within an Active Directory domain, likely as an analysis measure.
Chisel, another open-source tool, is employed as a tunneling utility to bypass network controls such as firewalls.
By establishing a SOCKS proxy between the victim’s machine and the attacker’s server, Chisel enables stealthy exfiltration and command-and-control (C2) communications.
This technique allows attackers to route traffic through the compromised machine, effectively masking their proper location and activities.
The attackers have also incorporated Classroom Spy, a legitimate remote administration tool typically used in educational environments, into their arsenal.
Classroom Spy offers a comprehensive range of surveillance capabilities, including live screen monitoring, keylogging, file collection and deployment, web activity logging, and even access to audio and camera recordings.
To avoid detection, the threat actors often rename Classroom Spy binaries to mimic legitimate system processes, such as “systemsvc.exe,” “vm3dservice.exe,” or “vmtoolsd.exe.”
Installation is typically facilitated via PowerShell scripts that extract and install the software as a service.
To further evade security controls, the attackers forge file signatures and utilize icons from well-known software vendors, including Microsoft, Cortex, and VMware.
This impersonation tactic helps their malicious tools blend in with legitimate applications, making detection more challenging for security teams.
Persistence is established through multiple methods, including creating services, placing shortcuts in the Startup folder, and setting up scheduled tasks, often disguised as legitimate system updates or services.
The CL-CRI-1014 cluster’s operations highlight the growing trend of cybercriminals acting as initial access brokers, specialists who gain network access and sell it to other threat actors.
To counter these threats, organizations are advised to enhance their threat hunting and defensive strategies.
Key recommendations include monitoring for the use of PoshC2, Chisel, and Classroom Spy, scrutinizing file signatures and process names, and leveraging advanced threat intelligence services.
Palo Alto Networks customers benefit from updated protections in Cortex XDR, XSIAM, Advanced WildFire, and Advanced URL/DNS Security, which have been tailored to detect and block the indicators of compromise (IoCs) associated with this activity.
Additionally, the Unit 42 Deep and Dark Web Service provides visibility into emerging risks, helping organizations respond more quickly to potential breaches.
As cybercriminals continue to refine their tactics, staying informed and proactive is essential for safeguarding critical infrastructure and sensitive data.
Organizations are encouraged to contact incident response teams and share threat intelligence to disrupt malicious actors targeting the financial sector and beyond collectively.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…