Hackers Downgrading Remote Desktop Security Setting For Unauthorized Access

The attackers use a multi-stage attack, starting with a malicious LNK file disguised as a healthcare-related document.

This file, likely sent via phishing emails, triggers PowerShell commands to download and execute additional payloads from a remote server. 

These payloads allow remote access to the system by modifying RDP settings and generating a new administrative account. 

They also employed “ChromePass” to steal browser passwords. This group has been active since 2023, targeting various sectors with consistent attack techniques despite being publicly documented.

Infection chain

HeptaX has consistently launched targeted phishing campaigns over the past year by employing diverse lure techniques, including blockchain-related documents, job applications, and industry-specific reports, to trick victims into downloading malicious payloads. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

After they have been executed, these payloads use PowerShell and Batch scripts to gain unauthorized access to compromised systems.

SOW_for_Nevrlate.pdf

The LNK file initiates a PowerShell script that fetches a unique identifier (UID) and establishes a connection to a remote command-and-control (C&C) server. 

It creates a persistent shortcut in the Startup folder, downloads a lure document to distract the user and then assesses the system’s User Account Control (UAC) settings. 

If UAC is disabled or configured insecurely, it downloads and executes a second-stage PowerShell script, which attempts to disable UAC if necessary forcefully and downloads additional batch files for further malicious activity.

Code to download and run batch file

Initially, a batch script is executed, which copies and renames malicious scripts to system directories, removes existing scheduled tasks, and creates new ones to trigger the next stage. 

Subsequently, it involves creating a new administrative user account with weak credentials, granting it extensive privileges, modifying system settings to facilitate remote access, and downloading and executing additional malicious scripts from a remote server. 

The attacker intends to achieve their goal by establishing persistent backdoor access to the compromised system.

Contents of the sysmon2 file

The attack progresses through multiple stages, beginning with the initial infection and culminating in remote desktop access.

The malware establishes persistent communication with a C2 server, receives commands, and executes them on the compromised system. 

It collects sensitive system information, including user credentials, network configurations, and installed software.

The attackers then disable UAC, create a new administrative user account, and lower the authentication requirements for remote desktop access.

Script partial content for making a POST request

By exploiting these vulnerabilities, the attackers gain unauthorized access to the victim’s system, enabling them to perform malicious activities, such as data theft, lateral movement, and further compromise.

According to CRIL, the threat group has executed multiple stealthy attacks using basic scripts to gain remote access and deploy tools like ChromePass for data theft by often leveraging spam emails as initial attack vectors. 

To mitigate these threats, organizations should strengthen email security, implement strict access controls, monitor system changes, enhance RDP security, and deploy network-level monitoring to detect and prevent malicious activities.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago