Researchers from Unit 42 have uncovered a sustained campaign targeting financial organizations across Africa, attributed to a threat actor cluster tracked as CL-CRI-1014.
This group is suspected to be operating as an initial access broker, infiltrating financial institutions and subsequently selling access to other threat actors on darknet markets.
The campaign, observed since at least July 2023, demonstrates a consistent and technically adept playbook utilizing a combination of open-source and publicly available tools to establish persistence, evade detection, and enable remote administration.
Attack Framework
The attackers’ toolkit prominently features three main components: PoshC2, Chisel, and Classroom Spy.
PoshC2 is an open-source post-exploitation framework commonly used by both penetration testers and malicious actors for command execution and maintaining foothold in compromised environments.
Chisel, another open-source utility, is employed for network tunneling, allowing attackers to bypass internal firewalls and proxy traffic covertly.
Classroom Spy, a commercial remote administration tool marketed for educational environments, has been repurposed by the attackers to enable comprehensive surveillance and control over infected endpoints.
The threat actors have demonstrated a high level of sophistication in operational security.
According to the Report, they routinely disguise their malicious binaries by forging file signatures, mimicking legitimate software such as Microsoft, Cortex, and VMware.
This includes copying icons, process names, and even digital certificates to evade detection by endpoint security solutions.
Such techniques highlight the increasing trend of threat actors leveraging legitimate tools and trusted signatures to mask their activities.
Technical Execution
Initial access is believed to be gained via compromised credentials or exploitation of vulnerable services.
Once inside, attackers deploy their toolset using various lateral movement techniques, including remote service creation, Distributed Component Object Model (DCOM) execution, and the legitimate PsExec utility.
The attackers have shifted from previously using MeshAgent to Classroom Spy as their primary remote administration payload, delivered and installed via custom PowerShell scripts.
These scripts extract the Classroom Spy binaries from compressed archives, install them as services, and often rename them to blend into the target environment.
Classroom Spy provides attackers with a robust set of capabilities: live screen monitoring, keylogging, file transfer, audio and video recording, and remote terminal access.
Attackers further obfuscate their presence by altering installation paths and process names, leveraging the tool’s built-in “Stealth Options” to evade detection.
Persistence for PoshC2 is achieved through multiple methods, including the creation of Windows services, scheduled tasks, and startup folder shortcuts.
Notably, attackers have been observed disguising malicious scheduled tasks as legitimate security processes (e.g., “Palo Alto Cortex Services”) and renaming payloads (e.g., “CortexUpdater.exe”).
Chisel is deployed to establish encrypted tunnels, acting as a SOCKS proxy to facilitate covert command-and-control (C2) communications and lateral movement.
The attackers configure Chisel clients on compromised hosts to connect back to attacker-controlled servers, effectively bypassing network segmentation and security controls.
The CL-CRI-1014 campaign underscores the growing threat posed by initial access brokers and the abuse of open-source and commercial tools in targeted attacks.
By forging digital signatures and mimicking legitimate software, attackers significantly increase the difficulty of detection and response for defenders.
Financial institutions and other high-risk sectors are urged to enhance their monitoring for suspicious use of remote administration tools, unauthorized tunneling activity, and anomalous process behaviors.
Security teams are advised to incorporate the provided indicators of compromise (IoCs) into their threat intelligence and detection frameworks, and to review endpoint and network logs for signs of the described attack techniques.
Indicators of Compromise (IoC)
| Tool | SHA256 Hashes / Domains |
|---|---|
| PoshC2 | 3bbe3f42857bbf74424ff4d044027b9c43d3386371decf905a4a1037ad468e2c 9149ea94f27b7b239156dc62366ee0f85b0497e1a4c6e265c37bedd9a7efc07f a41e7a78f0a2c360db5834b4603670c12308ff2b0a9b6aeaa398eeac6d3b3190 0bb7a473d2b2a3617ca12758c6fbb4e674243daa45c321d53b70df95130e23bc 14b2c620dc691bf6390aef15965c9587a37ea3d992260f0cbd643a5902f0c65b … (more in source) |
| Chisel | bc8b4f4af2e31f715dc1eb173e53e696d89dd10162a27ff5504c993864d36f2f 9a84929e3d254f189cb334764c9b49571cafcd97a93e627f0502c8a9c303c9a4 5e4511905484a6dc531fa8f32e0310a8378839048fe6acfeaf4dda2396184997 e788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b 2ce8653c59686833272b23cc30235dae915207bf9cdf1d08f6a3348fb3a3e5c1 |
| Classroom Spy | 831d98404ce5e3e5499b558bb653510c0e9407e4cb2f54157503a0842317a363 f5614dc9f91659fb956fd18a5b81794bd1e0a0de874b705e11791ae74bb2e533 aed1b6782cfd70156b99f1b79412a6e80c918a669bc00a6eee5e824840c870c1 6cfa5f93223db220037840a2798384ccc978641bcec9c118fde704d40480d050 |
| Domains | finix.newsnewth365[.]com mozal.finartex[.]com vigio.finartex[.]com bixxler.drennonmarketingreviews[.]com genova.drennonmarketingreviews[.]com savings.foothillindbank[.]com tnn.specialfinanceinsider[.]com ec2-18-140-227-82.ap-southeast-1.compute.amazonaws[.]com c2-51-20-36-117.eu-north-1.compute.amazonaws[.]com flesh.tabtemplates[.]com health.aqlifecare[.]com vlety.forwardbanker[.]com |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
