The attackers use a multi-stage attack, starting with a malicious LNK file disguised as a healthcare-related document.
This file, likely sent via phishing emails, triggers PowerShell commands to download and execute additional payloads from a remote server.
These payloads allow remote access to the system by modifying RDP settings and generating a new administrative account.
They also employed “ChromePass” to steal browser passwords. This group has been active since 2023, targeting various sectors with consistent attack techniques despite being publicly documented.
HeptaX has consistently launched targeted phishing campaigns over the past year by employing diverse lure techniques, including blockchain-related documents, job applications, and industry-specific reports, to trick victims into downloading malicious payloads.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
After they have been executed, these payloads use PowerShell and Batch scripts to gain unauthorized access to compromised systems.
The LNK file initiates a PowerShell script that fetches a unique identifier (UID) and establishes a connection to a remote command-and-control (C&C) server.
It creates a persistent shortcut in the Startup folder, downloads a lure document to distract the user and then assesses the system’s User Account Control (UAC) settings.
If UAC is disabled or configured insecurely, it downloads and executes a second-stage PowerShell script, which attempts to disable UAC if necessary forcefully and downloads additional batch files for further malicious activity.
Initially, a batch script is executed, which copies and renames malicious scripts to system directories, removes existing scheduled tasks, and creates new ones to trigger the next stage.
Subsequently, it involves creating a new administrative user account with weak credentials, granting it extensive privileges, modifying system settings to facilitate remote access, and downloading and executing additional malicious scripts from a remote server.
The attacker intends to achieve their goal by establishing persistent backdoor access to the compromised system.
The attack progresses through multiple stages, beginning with the initial infection and culminating in remote desktop access.
The malware establishes persistent communication with a C2 server, receives commands, and executes them on the compromised system.
It collects sensitive system information, including user credentials, network configurations, and installed software.
The attackers then disable UAC, create a new administrative user account, and lower the authentication requirements for remote desktop access.
By exploiting these vulnerabilities, the attackers gain unauthorized access to the victim’s system, enabling them to perform malicious activities, such as data theft, lateral movement, and further compromise.
According to CRIL, the threat group has executed multiple stealthy attacks using basic scripts to gain remote access and deploy tools like ChromePass for data theft by often leveraging spam emails as initial attack vectors.
To mitigate these threats, organizations should strengthen email security, implement strict access controls, monitor system changes, enhance RDP security, and deploy network-level monitoring to detect and prevent malicious activities.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
