Unauthorized RDP Connections For Cyberespionage Operations

Tags

External References

• https://cyble.com/
• https://otx.alienvault.com/

Description

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative accounts, and alter Remote Desktop settings. The campaign, named 'HeptaX', has been active since 2023, targeting various sectors with consistent techniques. It involves the deployment of ChromePass, a tool for stealing saved passwords from Chromium-based browsers. The attack begins with a ZIP file containing a malicious shortcut, likely distributed via phishing emails, and progresses through multiple stages of payload downloads and executions, ultimately enabling the threat actors to establish remote access for further malicious activities.

Date