A recent cyberattack on a small French automotive business has highlighted the evolving tactics of threat actors in maintaining persistent access to compromised systems. The attacker, identified by the alias “Poisson,” employed a combination of OpenSSH and Tailscale to establish a resilient backdoor, ensuring continued access even after the primary command-and-control (C2) server was taken offline.
The intrusion began with Poisson deploying a keylogger to capture sensitive information, including banking and email credentials. However, the most notable aspect of this attack was the strategic implementation of OpenSSH and Tailscale. By installing these tools on the victim’s machine, Poisson created a direct, encrypted connection to his private network, bypassing traditional C2 channels. This setup allowed him to maintain access without relying on the compromised C2 infrastructure.
Security researchers from Cato Networks meticulously documented the attack, analyzing 339 commands executed over a 33-day period. Their findings revealed that Poisson operated with a level of sophistication that belied his apparent inexperience. Despite utilizing free-tier services such as DuckDNS, Backblaze B2, and a budget-friendly IONOS VPS in Berlin, he managed to compromise four machines. Notably, his operational patterns suggested a schedule aligned with school hours, indicating he might be a junior operator.
The attack chain was complex and multi-layered. It commenced with a VBScript stager designed to evade sandbox detection through delayed execution. This script decrypted a PowerShell loader, which subsequently fetched a .NET loader to execute the Havoc Demon agent entirely in memory, thereby avoiding disk-based detection. For privilege escalation, Poisson employed the Start-Process -Verb RunAs command, which prompts the Windows User Account Control (UAC) for consent. This method required multiple attempts over two days on one victim’s machine, highlighting the challenges faced during the attack.
Persistence mechanisms included creating scheduled tasks that executed at every logon with elevated privileges and injecting shellcode into Explorer.exe. Additionally, Poisson deployed a custom-built version of RustDesk as a backup access channel. The keylogger used was a straightforward 70-line Python script that recorded keystrokes to a local file. Poisson manually retrieved this file and utilized the powercfg command to prevent the machines from entering sleep mode, ensuring continuous data collection.
The pivotal move occurred on April 7, when Poisson dedicated five hours overnight to install OpenSSH Server and Tailscale on the compromised machine. By integrating the victim’s system into his private Tailscale network and configuring key-based SSH access along with a reverse tunnel, he established a robust and covert access point. This setup rendered the traditional C2 infrastructure redundant. Consequently, when the Havoc C2 server went offline the following day, Poisson’s access remained unaffected due to the independent Tailscale connection.
Upon the C2 server’s reactivation on April 26, the agents reconnected automatically, eliminating the need for re-compromise. In the subsequent days, Poisson executed an additional 145 commands, explored smart-card and certificate stores—potentially targeting certificate-based logins—and ran two unidentified executables from a file named Thales.zip for approximately 32 minutes. He concluded his activities by deleting 17 files and ceased operations on May 1.
Interestingly, Poisson’s objectives appeared narrowly focused. There was no evidence of deploying tools like Mimikatz, engaging in lateral movement, deploying ransomware, or exfiltrating documents he accessed, such as tax records or insurance files. His primary interest seemed to be capturing credentials entered by users, including banking logins, email passwords, and access to government portals. For small business owners, such targeted credential theft poses significant financial risks.
This incident underscores the necessity for organizations to adopt comprehensive security measures that extend beyond monitoring C2 communications. The use of legitimate tools like Tailscale and OpenSSH for malicious purposes highlights the importance of vigilant network monitoring and the implementation of robust access controls. Security teams must remain alert to unconventional attack vectors and ensure that their defense strategies are adaptable to the evolving tactics of cyber adversaries.
