Home Malware Programs Downloaders POSHC2

POSHC2

Posted: December 6, 2019

POSHC2 is the name of a legitimate exploitation framework whose original purpose is to aid penetration testers in their attempts to ensure that the networks they are taking care of are invulnerable to cyber-attacks. Unfortunately, the POSHC2 framework also is available for free, with its entire source code exposed for the Internet to access – this has allowed cybercriminals to harvest some of the framework's core modules, apply small changes to them, and turn them into fully-fledged threats that can be used to launch threatening attacks against companies and corporations worldwide.

One of the famous Advanced Persistent Threat (APT) groups to make use of the POSHC2 framework for nefarious purposes is APT33 (also known as the Elfin Team), an Iranian-based hacking crew that has participated in attacks against industries in South Korea, Saudi Arabia and the United States.

The POSHC2 Backdoor was Used by APT33 Intensively

The APT33 group used the POSHC2 backdoor throughout all of 2018, and their targets changed frequently – the engineering industry and aviation industry were just two of their targets. One of the interesting things detected in some of the POSHC2 samples that malware researchers were able to get their hands on, is that they had automatic kill dates set to July 29, 2018. This behavior is not typical, but threat actors do sometimes rely on it to ensure that there will be no traces left behind.

In terms of functionality, the POSHC2 has all the general features seen in most Trojan Backdoors. Upon infecting a host, it will gather general system information such as the username and domain, PC name, hardware and software details and the PID (Process ID) of the unsafe process. The data is then transferred to a control server, and the attackers will be able to operate this instance of the POSHC2 backdoor remotely. They can use the Command & Control server to send remote commands, download and initialize additional payloads, as well as to execute PowerShell commands.

Cybercriminals exploit legitimate projects and rework them frequently so they can be used for nefarious purposes. The POSHC2 backdoor used in some of APT33's activity is just one example of such behavior.

Loading...