In an ongoing cyberattack campaign reported by Cyble Research and Intelligence Labs (CRIL), a persistent threat group known as HeptaX is employing various tactics to gain unauthorized Remote Desktop access. This campaign poses significant risks, especially within the healthcare sector.
The attack campaign begins with the delivery of malicious shortcut files (.lnk) embedded in ZIP archives, likely distributed through phishing emails. The attackers use sophisticated multi-stage techniques that rely heavily on PowerShell and BAT scripts to download and execute further payloads, evading traditional security measures.
Once the malicious LNK file is executed, a PowerShell command is triggered to download subsequent payloads from a remote server and create an administrative user account on the compromised system. This unauthorized access is facilitated by the alteration of Remote Desktop settings, reducing authentication requirements. HeptaX also leverages a password recovery tool called ChromePass to harvest saved passwords from Chromium-based browsers, increasing the risk of broader account compromises.
The HeptaX campaign embodies a multi-layered approach to cyber espionage, with initial compromises starting from innocuous ZIP files containing malicious LNK files. These ZIP files are suspected to be distributed through phishing schemes targeting the healthcare industry. The execution of the LNK file triggers a series of scripts that enable the establishment of a new user account, modification of Terminal Services settings, and the creation of pathways for data exfiltration, malware installation, and system surveillance.
Key stages of the attack involve the collection of system information, adjustment of User Account Control (UAC) settings, deployment of additional malicious scripts, and the execution of reconnaissance activities to gather sensitive information. The attackers create a new user account with administrative privileges named “BootUEFI” to manipulate system settings and exploit compromised Remote Desktop access for malicious activities.
By deploying ChromePass, the attackers focus on harvesting saved passwords, escalating the threat level for individuals and organizations. The use of PowerShell and Batch scripts in the campaign demonstrates an intent to exploit Remote Desktop access through basic scripting languages, enabling complex and covert attacks.
To mitigate such threats, organizations are advised to implement email filtering, educate employees on phishing risks, restrict the execution of scripting languages, enforce strict policies for privileged account creation, monitor UAC settings regularly, enhance Remote Desktop security with multi-factor authentication, and implement comprehensive network monitoring to detect anomalous activities. By taking proactive measures, organizations can bolster their defenses against sophisticated threats like those posed by HeptaX, creating a more secure digital environment.