HackTool.Win32.Chisel.C
VHO:HackTool.Win32.Chisel.gen (KASPERSKY)
Windows

 
 Threat Type: Hacking Tool
 
 Destructiveness: No
 
 Encrypted:
 
 In the wild: Yes
OVERVIEW
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Information Theft
This Hacking Tool accepts the following parameters:
- server → runs chisel in server mode
- client → runs chisel in client mode
Other Details
This Hacking Tool does the following:
- It accepts input in the following format:- For "server" → chisel server {optional parameters}
- For "client" → chisel client {optional parameters} {server} {remote addresses}
 
- Accepts the following optional parameters if "server" is the command:- --host, Defines the HTTP listening host – the network interface (defaults the environment variable HOST and falls back to 0.0.0.0).
- --port, -p, Defines the HTTP listening port (defaults to the environment variable PORT and fallsback to port 8080).
- --key, An optional string to seed the generation of a ECDSA public and private key pair. All communications will be secured using this key pair. Share the subsequent fingerprint with clients to enable detection of man-in-the-middle attacks (defaults to the CHISEL_KEY environment variable, otherwise a new key is generate each run).
- --authfile, An optional path to a users.json file. This file should be an object with users defined like: {"": ["",""]} when connects, their will be verified and then each of the remote addresses will be compared against the list of address regular expressions for a match. Addresses will always come in the form ":" for normal remotes and "R::" for reverse port forwarding remotes. This file will be automatically reloaded on change.
- --auth, An optional string representing a single user with full access, in the form of . This is equivalent to creating an authfile with {"": [""]}.
- --proxy, Specifies another HTTP server to proxy requests to when chisel receives a normal HTTP request. Useful for hiding chisel in plain sight.
- --socks5, Allow clients to access the internal SOCKS5 proxy. See chisel client --help for more information.
- --reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
- --pid Generate pid file in current working directory
- -v, Enable verbose logging
- --help, This help text
 
- Accepts the following optional parameters if "client" is the command:- --fingerprint, A *strongly recommended* fingerprint string to perform host-key validation against the server's public key. You may provide just a prefix of the key or the entire string. Fingerprint mismatches will close the connection.
- --auth, An optional username and password (client authentication) in the form: ":". These credentials are compared to the credentials inside the server's --authfile. defaults to the AUTH environment variable.
- --keepalive, An optional keepalive interval. Since the underlying transport is HTTP, in many instances we'll be traversing through proxies, often these proxies will close idle connections. You must specify a time with a unit, for example '30s' or '2m'. Defaults to '0s' (disabled).
- --max-retry-count, Maximum number of times to retry before exiting. Defaults to unlimited.
- --max-retry-interval, Maximum wait time before retrying after a disconnection. Defaults to 5 minutes.
- --proxy, An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the chisel server. Authentication can be specified inside the URL.
- --header, Set a custom header in the form "HeaderName: HeaderContent". Can be used multiple times. (e.g --header "Foo: Bar" --header "Hello: World")
- --hostname, Optionally set the 'Host' header (defaults to the host found in the server url).
- --pid Generate pid file in current working directory
- -v, Enable verbose logging
- --help, This help text
 
- It can be used to bypass through a firewall.
SOLUTION
Step 1
Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:
- Troj.Win32.TRX.XXPE50FFF079
Step 2
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 3
Scan your computer with your Trend Micro product to delete files detected as HackTool.Win32.Chisel.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.
