Unauthorized RDP Connections For Cyberespionage Operations

Oct. 28, 2024, 12:55 p.m.

Description

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative accounts, and alter Remote Desktop settings. The campaign, named 'HeptaX', has been active since 2023, targeting various sectors with consistent techniques. It involves the deployment of ChromePass, a tool for stealing saved passwords from Chromium-based browsers. The attack begins with a ZIP file containing a malicious shortcut, likely distributed via phishing emails, and progresses through multiple stages of payload downloads and executions, ultimately enabling the threat actors to establish remote access for further malicious activities.

External References

https://cyble.com/blog/heptax-unauthorized-rdp-connections-for-cyberespionage-operations/
https://otx.alienvault.com/pulse/671cfb9cf3a1100415bbc006
Tags
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass

Date

  • Created: Oct. 26, 2024, 2:24 p.m.
  • Published: Oct. 26, 2024, 2:24 p.m.
  • Modified: Oct. 28, 2024, 12:55 p.m.

Attack Patterns

  • ChromePass
  • HeptaX
  • T1555.003
  • T1204.001
  • T1059.001
  • T1548
  • T1547.001
  • T1082
  • T1105
  • T1071
  • T1098
  • T1027
  • T1566

Additional Informations

  • Healthcare