An open directory analysis report identified infrastructure linked to PoshC2 command and control activity, where the actor used batch scripts and malware to compromise Windows and Linux systems, aiming for system compromise, data destruction, and disabling detection mechanisms.
Tools like Ngrok, Posh_v2_dropper_x64.exe (PowerShell C2), and VmManagedSetup.exe (SystemBC malware) were used. The investigation identified another open directory with similar binaries and a text file providing instructions for creating a user account and downloading Atera Agent.
While the first directory was taken down, the second one remains active, likely being used to host malicious scripts for ransomware intrusion.
Investigators found an open directory containing PoshC2 scripts on a server (94.198.53.143), which created a disguised user account and downloaded the Atera Agent using a seemingly legitimate email address.
Further investigation using Shodan led to another server (185.234.216.64) hosting a similar PoshC2 open directory, which contained batch files and executables. A text file (“poschc2+user.txt”) detailing user account creation found in the earlier directory was deleted by the attacker but retrieved by investigators.
The DFIR Report identified two IP addresses (94.198.53.143 and 185.234.216.64) historically linked to malicious activity, including PoshC2 and Sliver command and control frameworks.
An open directory revealed various scripts for disabling security software (Windows Defender, Malwarebytes), deleting backups and logs, manipulating RDP settings, and potentially establishing remote access via Ngrok.
Additionally, tools for deploying PoshC2 agents (droppers) and potentially SystemBC malware were found, which suggest a targeted attack aimed at compromising system security and establishing persistence.
A set of malicious batch scripts likely used in a ransomware attack target Windows systems and aim to achieve several goals: uninstall security software (Atera, Defender, and Malwarebytes), disable system restore points and backups, delete shadow copies, modify boot configuration to prevent recovery, and terminate various services (web servers, databases, and exchange).
The scripts can kill processes, log off sessions, and establish tunnels using ngrok. By combining these functionalities, the attacker attempts to make data recovery difficult and potentially gain unauthorized access to the system.
A malware campaign deployed PoshC2 droppers and utilized various tools for persistence, defense evasion, and privilege escalation, while the PoshC2 C2 server was identified at 94.198.53.143.
The attackers used multiple techniques to evade detection, including replacing accessibility tools with cmd.exe and disabling security software.
They also deployed a Sliver implant, likely version 1.5.40 or 1.5.41, communicating on port 94.198.53.143. Finally, the attackers used scripts to remove security software and enable remote desktop access.