The Intrusion and Persistence Strategy
A French-speaking attacker, known by the handle ‘Poisson,’ targeted a small automotive business in France. The initial breach involved a memory based malware chain, starting with a VBScript stager that deployed a PowerShell loader, ultimately running Havoc’s Demon agent without writing files to disk. After gaining elevated privileges through repeated UAC prompts, the attacker installed a keylogger and established multiple persistence mechanisms, including a scheduled task and shellcode injection.
The attacker’s crucial move came near the end of the operation. In a five hour session, they installed OpenSSH Server and Tailscale on the victim’s machine, creating a separate communication channel that did not rely on the command and control server. When the Havoc C2 infrastructure went offline the next day, this alternative path remained active, allowing the attacker to maintain access for 18 days until the C2 returned.
Impact and Scope
Cato Networks researchers documented 339 commands over 33 days after discovering the attacker’s SSH keys and playbook in an open storage bucket. The operator, described as a junior hacker with limited tradecraft, still managed to compromise four machines. The keylogger targeted banking credentials, email passwords, and government portal logins, representing direct financial exposure for the targeted business.
The techniques used are not novel. Advanced persistent threat groups like APT31 have used Tailscale for covert tunneling, while ransomware groups employ legitimate remote access tools. The critical lesson is that taking a C2 server offline does not constitute remediation if attackers have established independent persistence layers. Organizations should monitor for unexpected OpenSSH installations on workstations, unauthorized Tailscale usage, and reverse SSH tunnels to external hosts.
Source: The Hacker News
