Full Report
The threat actor used a combination of open-source and publicly available tools to establish their attack framework
Analysis Summary
# Tool/Technique: PoshC2
## Overview
PoshC2 is an open-source attack framework utilized by the threat actor CL-CRI-1014 to conduct malicious operations against financial organizations in Africa. It is identified as the primary command and control (C2) framework used in their current campaign.
## Technical Details
- Type: Attack Framework
- Platform: Likely Windows (given the associated use of PsExec), but C2 frameworks generally support multi-platform implant deployment.
- Capabilities: A full-featured C2 framework used for managing implants, executing commands, and maintaining persistence.
- First Seen: The current campaign utilizing this set of tools has been active since at least 2023.
## MITRE ATT&CK Mapping
*Note: Specific tactics and techniques are inferred based on the use of a C2 framework and associated tools:*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Implied/Associated with C2 operations)
## Functionality
### Core Capabilities
- Serving as the main Command and Control infrastructure for controlling compromised systems.
- Used in conjunction with other tools like Chisel for communication encapsulation and evasion.
### Advanced Features
- The article focuses on its use as the main framework for the observed campaign, implying features typical of C2 frameworks such as remote execution and payload delivery.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: [Framework executables/implant names associated with PoshC2 deployment, not specified]
- Registry Keys: [Not specified in the provided text]
- Network Indicators: [C2 domains/IPs associated with PoshC2 traffic, not specified]
- Behavioral Indicators: [Communications indicative of a PoshC2 implant beaconing or receiving instructions]
## Associated Threat Actors
- CL-CRI-1014 (Identified by Unit 42 as initial access brokers targeting African financial institutions)
## Detection Methods
- Signature-based detection: [Signatures for known PoshC2 payloads or default C2 communication patterns]
- Behavioral detection: [Detection of connections to known C2 infrastructure or anomalous process execution patterns associated with C2 implants]
- YARA rules: [Not specified in the provided text]
## Mitigation Strategies
- Network segmentation to limit lateral movement originating from C2 traffic.
- Monitoring egress traffic for connections to known command and control infrastructure.
- Strict application whitelisting to prevent execution of unauthorized frameworks or payloads.
## Related Tools/Techniques
- Chisel (Used for tunneling)
- PsExec (Used for remote execution/proxying)
- Classroom Spy (Remote Administration Tool used later in the infection chain)
- MeshAgent (Previously used RAT in earlier CL-CRI-1014 campaigns)
***
# Tool/Technique: Chisel
## Overview
Chisel is a public, open-source tunneling utility leveraged by CL-CRI-1014. It is used specifically to establish tunnels through the target organization's firewall protections, enabling continued command and control or data exfiltration paths.
## Technical Details
- Type: Utility / Tunneling Tool
- Platform: Cross-platform capability (Used here likely on Windows targets or the intermediate proxy).
- Capabilities: Creates secure reverse or remote tunnels over protocols like SSH, assisting in bypassing network security controls like firewalls.
- First Seen: Used in ongoing CL-CRI-1014 campaigns since at least 2023.
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1071.001 - Application Layer Protocol: Web Protocols
- TA0011 - Command and Control
- T1090 - Proxy
## Functionality
### Core Capabilities
- Establishing tunnels for network communication.
- Bypassing firewall protections on the target system.
### Advanced Features
- Encapsulating malicious traffic within seemingly legitimate protocols to avoid detection by perimeter defenses.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: [Specific Chisel binary names used, not specified]
- Registry Keys: [Not specified in the provided text]
- Network Indicators: [Tunnel endpoints related to Chisel's operation, not specified]
- Behavioral Indicators: [Unusual outbound connections or data flow patterns corresponding to tunneling activity]
## Associated Threat Actors
- CL-CRI-1014
## Detection Methods
- Signature-based detection: [Signatures for known Chisel binaries]
- Behavioral detection: [Detection of protocols being tunneled over unexpected ports or unusual sustained outbound connections indicative of a tunnel being maintained]
- YARA rules: [Not specified in the provided text]
## Mitigation Strategies
- Network monitoring for anomalous outbound traffic patterns characteristic of covert tunneling.
- Implementing deep packet inspection (DPI) to identify encapsulated or encoded traffic flows.
## Related Tools/Techniques
- PoshC2 (The overlying C2 infrastructure managing the tunnel)
- PsExec (Used alongside Chisel for initial spread/proxy setup)
***
# Tool/Technique: PsExec (Microsoft Sysinternals)
## Overview
PsExec, a legitimate remote administration tool from Microsoft Sysinternals, is being abused by CL-CRI-1014 to achieve remote execution on target machines, initially connecting to a proxy machine before escalating further.
## Technical Details
- Type: Tool (Abused Legitimate Software)
- Platform: Windows
- Capabilities: Permits remote execution of processes on remote Windows systems.
- First Seen: Used in CL-CRI-1014 campaigns dating back to at least 2023.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- TA0008 - Lateral Movement
- T1021.002 - Remote Services: SMB/Windows Admin Shares (Underlying mechanism for PsExec)
## Functionality
### Core Capabilities
- Establishing remote connections to Windows machines.
- Executing commands or launching proxy processes on remote hosts.
### Advanced Features
- Used sequentially in the attack chain: first to establish a proxy connection, and subsequently to spread further post-initial access.
## Indicators of Compromise
- File Hashes: [Not specified, but detection should focus on legitimate PsExec versions being used maliciously]
- File Names: [Psexec.exe, or dropped copies]
- Registry Keys: [Not typically associated with forensic artifacts unless Psexec is installed/modified]
- Network Indicators: [SMB traffic patterns associated with remote service execution]
- Behavioral Indicators: [Execution of PsExec originating from unexpected administrative accounts or running unusual child processes]
## Associated Threat Actors
- CL-CRI-1014
## Detection Methods
- Signature-based detection: [Signatures for PsExec binaries]
- Behavioral detection: [Monitoring for PsExec usage that bypasses standard IT administration practices or is associated with initial penetration events]
- YARA rules: [Not typically needed; WMI/Event Log monitoring is preferred for this tool]
## Mitigation Strategies
- Restricting PsExec use through application control policies.
- Enforcing Principle of Least Privilege and JIT access for administrative credentials.
- Monitoring Windows Event Logs (e.g., Security Event ID 4688 for process creation initiated via PsExec).
## Related Tools/Techniques
- PoshC2
- Chisel
- Classroom Spy
***
# Tool/Technique: Classroom Spy
## Overview
Classroom Spy is a remote administration tool being deployed by CL-CRI-1014. Notably, its use marks a replacement for MeshAgent, which was used in the group's previous campaigns, suggesting operational iteration by the threat actor.
## Technical Details
- Type: Remote Administration Tool (RAT) / Malware
- Platform: Unknown (Likely Windows based on associated tools)
- Capabilities: Remote administration, likely including desktop viewing, file transfer, and remote command execution.
- First Seen: Incorporated into the CL-CRI-1014 attack chain observed in 2024/2025 activity.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (If configured for persistence)
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- Providing the threat actor with interactive remote control over compromised endpoints.
### Advanced Features
- Substitution for a previously used tool (MeshAgent), indicating adaptation to threat intelligence/detection improvements.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: [Specific names used for the Classroom Spy implant binary, not specified]
- Registry Keys: [Likely persistence keys, not specified]
- Network Indicators: [Connections established to the C2 infrastructure for RAT control, distinct from PoshC2 beaconing]
- Behavioral Indicators: [Process injections or unusual process trees stemming from the RAT activity]
## Associated Threat Actors
- CL-CRI-1014
## Detection Methods
- Signature-based detection: [Signatures specific to the deployed Classroom Spy binary]
- Behavioral detection: [Detection of characteristic network traffic patterns associated with Classroom Spy, or specific file drop locations]
- YARA rules: [Not specified in the provided text]
## Mitigation Strategies
- Application control to block execution of unauthorized or known RAT executables.
- Network egress filtering to block unauthorized C2 communication channels used by RATs.
## Related Tools/Techniques
- MeshAgent (Replaced tool)
***
# Threat Actor: CL-CRI-1014
## Overview
CL-CRI-1014 is a threat actor group actively targeting financial organizations across Africa, focusing on gaining initial access. They operate primarily as Initial Access Brokers (IABs), compromising systems and selling that access on the dark web.
## Technical Details
- Targeting Focus: Financial Sector in Africa
- Modus Operandi: Initial Access Brokerage
- Campaign Duration: Active since at least 2023.
## MITRE ATT&CK Mapping
*The actor's role as an IAB influences their TTPs:*
- TA0001 - Initial Access (Primary Objective)
- TA0010 - Exfiltration (For selling access information)
## Functionality
### Core Capabilities
- Utilizing open-source tools (PoshC2, Chisel, PsExec) for establishing footholds.
- Adapting TTPs by swapping out tools (e.g., Classroom Spy replacing MeshAgent).
### Advanced Features
- Profiting by selling initial access credentials/backdoors to other, potentially higher-tier, threat groups.
## Indicators of Compromise
- *Indicators are tied to the specific tools listed above (PoshC2, Chisel, etc.)*
## Associated Threat Actors
- None explicitly linked as customers or partners, but they act as vendors to untracked threat actors on the dark web.
## Detection Methods
- Detection hinges on identifying the tradecraft—the combination of public tools used in a persistent, targeted manner against financial entities in the specified region.
## Mitigation Strategies
- Enhanced vetting and monitoring of third-party access vectors.
- Robust detection across the entire attack chain, as IABs often use common, publicly available tools.
## Related Tools/Techniques
- PoshC2, Chisel, PsExec, Classroom Spy, MeshAgent (historical)