A phishing attack delivers a malicious LNK file targeting the healthcare industry. Upon execution, the LNK file triggers a chain of PowerShell commands, downloading and executing payloads to create a new admin account and weaken RDP security.
The HeptaX group has been actively exploiting a vulnerability in Chromium-based browsers since 2023 by deploying the ChromePass hacking tool to steal saved passwords, compromising victim credentials and potentially leading to further cyberattacks across various sectors.
It persistently launches phishing campaigns leveraging various lure themes like blockchain, healthcare, and creative arts by employing PowerShell and Batch scripts for post-exploitation activities, indicating a broad targeting scope across multiple industries.
The malicious LNK file executes a PowerShell script that fetches a unique system identifier, creates a persistent shortcut in the Startup folder, and establishes communication with a remote server to download and execute further malicious payloads.
A PowerShell script fetches commands from a C2 server, downloads and launches a lure document, and attempts to exploit a vulnerable UAC configuration by downloading and executing an additional script.
The second-stage PowerShell script assesses UAC settings, sends a notification to the C2 server based on the assessment, and forcibly disables UAC if possible and then downloads and executes a scheduled task batch file to maintain persistence.
The script copies malicious files to the System32 directory, deletes original files and existing scheduled tasks, creates a new malicious scheduled task, and then self-deletes to conceal its presence.
While the “sysmon2.bat” file deletes existing scheduled tasks related to Intel Ethernet connections, then creates a new task named “Intel(R) Ethernet2 Connection1219-LM2” to execute the “sysmon.bat” file from the “C:\Windows\System32” directory.
It creates a privileged user account, grants it administrative and remote desktop access, modifies system settings to enable remote access, bypasses security measures, and downloads and executes a malicious PowerShell script from a remote server.
The PowerShell script “a.ps1” fetches commands from a remote server using a generated UID and then executes these commands either in the current session or as a background task, based on the presence of the “autoreconnect id” string in the server response.
By gathering system information, including recent files, network details, user accounts, security settings, and running processes, this data is logged, encoded in Base64, and sent to a remote server via HTTP POST, then deleted from the system.
The attackers, after bypassing security measures, gained remote access to the victim’s machine, installed malware, stole sensitive data, monitored activity, modified settings, and exploited the system for malicious purposes.
According to Cyble, the threat group has been quietly executing multiple attacks, employing basic scripts to gain remote access and the ChromePass tool to steal sensitive credentials. Their ability to remain undetected poses a significant security risk.
To enhance security, implement robust email filtering, cautiously handle email attachments, restrict script execution, control privileged account creation, monitor UAC registry changes, strengthen RDP security, and employ network-level monitoring to thwart potential attacks.