Stealthy KongTuke C2 Discovered via Multi-Domain Threat Hunting

Recent threat hunting operations by Cisco Talos identified a stealthy KongTuke C2 intrusion, demonstrating adversary techniques designed to evade traditional signature-based detections. This attack begins with initial access likely facilitated by a Traffic Direction System (TDS) redirect, which then leads to the execution of obfuscated PowerShell commands. These commands are typically Base64-encoded to bypass detection, responsible for downloading additional malicious scripts, such as script.ps1, into the user's ApplicationData directory. Following payload delivery, command-and-control (C2) communication is established, often leveraging living-off-the-land binaries like curl.exe to connect to suspicious external infrastructure, exemplified by 144.31.221.82 on port 6060 with a path like /capcha9856. The adversaries also employ anti-forensics measures, including post-execution file cleanup via Remove-Item, to obscure their tracks. This type of multi-stage attack, correlating network and endpoint telemetry, highlights the need for advanced threat hunting capabilities beyond simple alert thresholds.

Attack Chain

1. Initial Access: A user is redirected via a Traffic Direction System (TDS) infection, leading to a compromised website.
2. Foothold/Network Connection: Firewall telemetry records an outbound ConnectionEvent from an internal device to a suspicious IP address (e.g., 144.31.221.82) on a non-standard port (6060) with a specific URL path (e.g., /capcha9856), indicating potential C2.
3. Execution - Obfuscated PowerShell: On the compromised host, cmd.exe spawns powershell.exe with an -EncodedCommand parameter containing a Base64-encoded payload to evade endpoint detection.
4. Payload Delivery: The decoded PowerShell script executes Invoke-WebRequest to fetch a second-stage payload, such as script.ps1, and drops it into the user's ApplicationData directory.
5. C2 Communication: A curl.exe process is initiated, making outbound requests to the same C2 infrastructure previously flagged by the firewall (e.g., 144.31.221.82:6060/capcha9856), confirming active C2.
6. Defense Evasion - Cleanup: The attacker performs post-execution cleanup using Remove-Item to delete traces of the downloaded script.ps1 and other artifacts from the user's ApplicationData directory.
7. Impact: Confirmed intrusion with C2 established, enabling data exfiltration, further compromise, or deployment of additional malware.

Impact

The observed KongTuke C2 activity represents a confirmed intrusion that, if unmitigated, allows adversaries to maintain persistent access and control over compromised systems. This type of breach enables capabilities ranging from data exfiltration, lateral movement within the network, to the deployment of additional malicious payloads such as ransomware or infostealers. While specific victim numbers are not provided, this methodology demonstrates how sophisticated adversaries can leverage a combination of living-off-the-land binaries, obfuscation, and targeted C2 to operate undetected, posing a significant risk to organizations across various sectors by bypassing traditional security controls.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect encoded PowerShell, suspicious Invoke-WebRequest activity, and curl.exe C2 connections.
• Enable Sysmon process-creation logging to capture powershell.exe and curl.exe command lines and network_connection events for comprehensive visibility.
• Block the C2 IP address 144.31.221.82 and URL http://144.31.221.82:6060/capcha9856 at your network perimeter firewalls and DNS resolvers.
• Regularly review network connection logs for outbound connections from unexpected processes (e.g., curl.exe) or connections to known malicious autonomous systems (ASNs).