Cyble Research and Intelligence Labs (CRIL) has reported an ongoing cyberattack campaign orchestrated by a persistent threat group known as HeptaX. This campaign exploits various tactics to gain unauthorized Remote Desktop access, posing multiple risks to a wide array of users, particularly within the healthcare sector.
The campaign initiates with the delivery of malicious shortcut files (.lnk) embedded in ZIP archives, likely disseminated through phishing emails. This sophisticated multi-stage attack chain relies heavily on PowerShell and BAT scripts to facilitate the download and execution of further payloads, showcasing the attackers’ preference for script-based techniques that can evade traditional security measures.
Once the malicious LNK file is executed, it triggers a PowerShell command that not only downloads subsequent payloads from a remote server but also creates an administrative user account on the compromised system. This alteration of Remote Desktop settings lowers authentication requirements, making it easier for the threat actors to establish unauthorized remote access.
Additionally, HeptaX utilizes a well-known password recovery tool called ChromePass, which harvests saved passwords from Chromium-based browsers, significantly increasing the potential for broader account compromises. Due to the elusive nature of this group’s tactics, CRIL has opted to track this campaign under the moniker “HeptaX.”
HeptaX Campaign Overview
The HeptaX campaign exemplifies a multi-layered approach to cyber espionage. It begins with a seemingly innocuous ZIP file that contains a malicious LNK file. While the exact source of these ZIP files remains unidentified, it is highly suspected that they are spread through phishing schemes aimed at the healthcare industry.
Upon execution, the LNK file launches a PowerShell command that downloads additional payloads, including more PowerShell scripts and BAT files, from a remote server. The series of scripts work in concert to establish a new user account with administrative privileges, modify Terminal Services (Remote Desktop Protocol) settings, and create a pathway for the attackers to carry out data exfiltration, malware installation, or even system surveillance.
The infection process begins with the execution of the LNK file, leading to the download of a PowerShell script. This script retrieves a unique identifier (UID) for the compromised system, which can be obtained from specific registry paths or generated if none exists.
Following this, the script creates a persistent shortcut in the Windows Startup folder, ensuring that the malware remains active upon system reboot.
Subsequent stages of the attack involve disabling User Account Control (UAC) settings and executing additional malicious scripts. The use of ChromePass to extract saved passwords from web browsers amplifies the risks posed to victims, as sensitive credentials can be easily compromised.
Technical Analysis
The HeptaX campaign is characterized by a reliance on PowerShell and Batch scripts, which facilitate control over compromised systems. The initial PowerShell script constructs a base URL to send information and download other payloads. This approach reflects a trend in cyberespionage operations where attackers favor script-based methods to bypass detection.
The first stage of the attack involves the downloaded PowerShell script collecting system information and adjusting UAC settings. If UAC is found to be disabled or set to a lower security level, the script proceeds to download additional scripts that further compromise the system.
One of the most critical stages occurs when the attackers create a new user account named “BootUEFI” with administrative rights and modify Remote Desktop settings. These adjustments facilitate seamless unauthorized access, allowing attackers to exploit the compromised systems at will.
Step-by-Step Breakdown of the Attack Stages
- Initial Compromise: The attack begins with a phishing email containing a ZIP file. This ZIP file includes a malicious LNK file that initiates the attack upon execution.
- PowerShell Execution: Once the LNK file is executed, it triggers a PowerShell command to download further payloads from a remote server. This script gathers a UID from the compromised system and sets up persistence by creating a new shortcut in the Startup folder.
- UAC Manipulation: The script checks and modifies UAC settings to lower security measures, allowing attackers easier access to the system.
- Batch File Deployment: The script downloads and executes multiple BAT files, which facilitate the creation of the administrative account and adjust Remote Desktop settings for unauthorized access.
- Final Payload Execution: The final stage involves downloading a PowerShell script that performs reconnaissance on the system and gathers sensitive information, including user credentials and network configurations.
Exploitation of Remote Desktop Access
Once the attackers have established a foothold through the creation of the “BootUEFI” account, they can easily take over the compromised Remote Desktop. This access enables them to carry out various malicious activities, including:
- Installing Additional Malware: With unrestricted access, attackers can install further malware to enhance their control over the system.
- Data Exfiltration: Sensitive information can be siphoned off with little resistance, posing a significant threat to data privacy and integrity.
- Monitoring User Activity: Attackers can surveil user actions, gaining insights into organizational processes and potentially sensitive information.
- System Manipulation: They can alter system settings to further entrench their presence or create backdoors for future access.
The deployment of ChromePass within the infrastructure indicates a focused intent on harvesting saved passwords, amplifying the threat level posed to both individuals and organizations.
Conclusion
The HeptaX campaign highlights the rising threat of hackers, particularly in cyber espionage operations that exploit Remote Desktop access through basic scripting languages like PowerShell and BAT scripts, allowing for complex, undetected attacks.
To counter these threats, organizations should implement email filtering to block harmful attachments, educate employees on phishing risks, restrict the execution of scripting languages, establish strict policies for privileged account creation, regularly monitor User Account Control settings, strengthen Remote Desktop security with multi-factor authentication, and employ comprehensive network monitoring to detect unusual activities.
By taking these proactive steps, organizations can significantly enhance their defenses against sophisticated threats like those posed by HeptaX, fostering a more secure digital environment.
