Today > | 7 High | 24 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

Unauthorized RDP Connections For Cyberespionage Operations

Oct. 28, 2024, 12:55 p.m.

Description

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative accounts, and alter Remote Desktop settings. The campaign, named 'HeptaX', has been active since 2023, targeting various sectors with consistent techniques. It involves the deployment of ChromePass, a tool for stealing saved passwords from Chromium-based browsers. The attack begins with a ZIP file containing a malicious shortcut, likely distributed via phishing emails, and progresses through multiple stages of payload downloads and executions, ultimately enabling the threat actors to establish remote access for further malicious activities.

Date

Published: Oct. 26, 2024, 2:24 p.m.

Created: Oct. 26, 2024, 2:24 p.m.

Modified: Oct. 28, 2024, 12:55 p.m.

Attack Patterns

ChromePass

HeptaX

T1555.003

T1204.001

T1059.001

T1548

T1547.001

T1082

T1105

T1071

T1098

T1027

T1566

Additional Informations

Healthcare