HeptaX

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) came across an ongoing cyberattack campaign originating from malicious LNK files.
  • The sophisticated multi-stage attack chain relies heavily on PowerShell and BAT scripts to streamline the download and execution of additional payloads, demonstrating the Threat Actor’s (TA) preference for script-based methods to evade detection by traditional security solutions.
  • The attack involves the creation of an administrative account on the victim’s system and altering Remote Desktop settings to lower authentication requirements, simplifying unauthorized RDP access for the attacker.
  • The campaign deploys an additional well-known password recovery tool, ChromePass, which collects saved passwords from Chromium-based browsers, increasing the risk of broader account compromises.
  • Based on its TTPs, we have not been able to attribute this campaign, so for tracking purposes, we are naming it “HeptaX”.

Overview

CRIL has come across a multi-stage cyberattack campaign that begins with a ZIP file containing a malicious shortcut file (.lnk). While the source of this ZIP file remains unknown, it is suspected to be disseminated through phishing emails. Based on the LNK file name, it is suspected that this campaign targets the healthcare industry.

Upon execution, the LNK file triggers a PowerShell command that downloads and executes a series of additional payloads, including PowerShell scripts and BAT files, from a remote server. These scripts work in tandem to create a new user account on the compromised system with administrative privileges and modify Terminal Services (RDP) settings, lowering authentication requirements. This setup enables the TAs to easily establish remote desktop access (RDP) to the victim’s system, facilitating further malicious activities such as data exfiltration, the installation of additional malware, or even system monitoring.

Furthermore, CRIL identified the presence of an unwanted application called “ChromePass” within the threat actors’ network infrastructure. This hacking tool is designed to steal saved passwords from Chromium-based browsers, adding another layer of risk for victims by exposing their credentials. The image below illustrates the infection chain.

Infection Chain, Malware, HeptaX
Figure 1 – Infection chain

Based on the information obtained through pivoting, this group has been operational since 2023 and has executed a range of attacks across different sectors, as reflected in the names of the lure files. While the overall attack flow has remained consistent, it is surprising that they are still active using the same techniques. Several researchers have previously identified this campaign [1],[2],[3],[4],[5], with the majority of findings shared by the Malware Hunter Team.

Campaign analysis

Over the past 12 months, this unidentified group has consistently reemerged with various lure themes while maintaining unchanged attack patterns. Tracked as HeptaX,’ the campaign relies heavily on PowerShell and Batch scripts to gain control over compromised systems. By pivoting the IP address, we uncovered several additional artifacts associated with the same TAs used across different campaigns.

Phishing, Lure document
Figure 2 – Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf (lure doc observed in Oct 2023)

Blockchain, Phishing, Lure document
Figure 3 – Blockchain_Trading_Website_Manager.docx (lure file observed in Sept 2023)

Phishing, Lure
Figure 4 – WebContentWriting_Handout.pdf (lure observed in Oct 2023)

Social Engineering, Phishing
Figure 5 – Resume – professional sax, keys, and guitar player with over 40 years experience working with own bands, accompanied world stars.pdf (lure observed in Nov 2023)

Social Engineering, SOW
Figure 6 – SOW_for_Nevrlate.pdf (lure file Observed in Nov 2023)

One of the notable files from this campaign is:

  • 202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf.lnk

In addition, older campaigns attributed to this threat group over the past year include malicious files with names such as:

  • SOW_for_Nevrlate.pdf
  • WebContentWriting_Handout.pdf
  • Blockchain_Trading_Website_Manager.docx
  • Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf
  • Resume – professional sax, keys and guitar player with over 40 years experience working with own bands, accompanied world stars.pdf
  • dropshipping Elien project prposal-soft online service ventilization from xihu.pdf.lnk

The diversity in file names and themes suggests that this group tailors its campaigns to appeal to a variety of victims, indicating a broad targeting strategy across multiple industries.

Technical Analysis

 Upon execution, the LNK file runs a PowerShell command that downloads and executes subsequent payloads from a remote server. The image below shows a partially de-obfuscated PowerShell command.

PowerShell, COde
Figure 7 – De-Obfuscated PowerShell Code

First stage – bb.ps1

As an initial step, the downloaded PowerShell script constructs a base URL to which it sends information and from which it downloads other stage payloads. The PowerShell script contains multiple functions, the first of which retrieves a unique identifier (UID) for the compromised system. This UID is obtained either from a specific registry path (HKEY_LOCAL_MACHINESOFTWAREWireless) or from a log file (id.log) in the “C:UsersPublicDocuments” directory. If neither exists, a new GUID is generated and saved to a newly created id.log file.

UID Generation
Figure 8 – UID Generation

Next, the PowerShell script creates a shortcut file in the Windows Startup folder for persistence. The contents of the newly generated LNK file match those of the original malicious LNK file. The image below shows the function responsible for creating the new LNK file in the startup folder.

Persistence
Figure 9 – Shortcut Creation for Persistence

Then, the PowerShell script constructs a URL by appending the previously generated UID to the remote server, forming the request hxxp://157.173.104.153/up/get-command.php?uid=<UID>, and uses WebClient to send a request to fetch commands from the server. Upon receiving a successful response, it checks whether the response contains the string “autoreconnect”. If this string is present, the Powershell script runs the code in the current session using `iex`; otherwise, it executes the code as a background task in a separate PowerShell process.

Command-and-control, Commands
Figure 10 – Fetching commands from the command-and-control server

Afterward, the PowerShell script downloads a password-protected lure document from the above-mentioned remote server, saves it in the system’s temporary directory “C:Users<Username>AppDataLocalTemp”, and then launches the document. The image below displays the function code and the open directory containing the lure PDF.

Code, Lure Document
Figure 11 – Code to download and launch lure document

Open Directory, Phishing
Figure 12 – Open directory containing lure PDF

Finally, the PowerShell script retrieves two registry values related to User Account Control (UAC):

  • HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin, which controls the consent prompt behavior for administrators.
  • HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA, which indicates whether UAC is enabled.

If either of these values is 0, suggesting that UAC is either disabled or configured to a less secure setting, the script proceeds to download and execute another PowerShell script (b.ps1) from the remote server.

Payload, Code
Figure 13 – Code to download next stage payload

Second Stage – b.ps1

The newly downloaded second-stage PowerShell script includes several functions, some mirroring those from the first stage. The primary function of this script is focused on evaluating the system’s User Account Control (UAC) settings, utilizing the same registry checks employed earlier to determine whether UAC is enabled and if the consent prompt for administrators remains active.

If UAC is disabled or the consent prompt behavior is configured to a less secure state, the function sends a message to the remote server indicating that UAC is off by default: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC off in default!”).

If both settings are enabled, the function enters a loop, repeatedly attempting to disable UAC by setting the “ConsentPromptBehaviorAdmin” value to 0. Once successful, it sends a message to the remote server stating that UAC has been forcefully disabled: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC force disabled!”). The below image shows the function code responsible for sending a POST request to the remote server, transmitting information about the victim’s User Account Control (UAC) status.

C2, UAC
Figure 14 – Code for sending a POST request to the C&C server with the victim’s UAC status

After a brief 300-millisecond sleep, the PowerShell script calls the schReg() function, which downloads three batch files from the remote server into the system’s temporary directory ($env:TEMP). The files are named “k1.bat,” “scheduler-once.bat,” and “k2.bat.” After downloading, the script runs the “scheduler-once.bat” file using the “Start-Process” cmdlet with elevated privileges. The image below shows the code responsible for downloading and executing the batch files.

Figure 15 – Code to download and run batch file

Third Stage – scheduler-once.bat

The executed batch file copies “k1.bat” and “k2.bat” from the %temp% directory to “C:WindowsSystem32”, renaming them to “sysmon.bat” and “sysmon2.bat”. It then deletes the original “k1.bat” and “k2.bat” files from the temp location. Next, the batch file checks for and removes any scheduled tasks named:

  • Intel(R) Ethernet Connection 1219-LM
  • Intel(R) Ethernet2 Connection 1219-LM

Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection 1219-LM” to run “sysmon2.bat”. Finally, the script “scheduler-once.bat” deletes itself to cover its traces from the system. The image below displays the contents of the batch file “scheduler-once.bat”.

Batch file
Figure 16 – Contents of the scheduler-once.bat file

Fourth Stage – sysmon2.bat

Once the scheduled task is triggered to execute the “sysmon2.bat” file, it first checks for and removes any existing scheduled tasks named:

  • Intel(R) Ethernet Connection 1219-LM2
  • Intel(R) Ethernet2 Connection 1219-LM2

Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection1219-LM2” to run the “sysmon.bat” file located in the “C:WindowsSystem32” folder. Notably, the previous third-stage batch file performs similar checks, but the task names differ slightly. The image below shows the content of the “sysmon2.bat” file.

Sysmon2, analysis
Figure 17 – Contents of the sysmon2 file

Fifth Stage – Sysmon.bat

The sysmon.bat script executes a series of actions:

  • Creates a new user account named “_BootUEFI_”.
  • Sets the password for this newly added account to “123456!!!” and activates it.
  • Adds the “_BootUEFI_” account to the Administrators group, granting it administrative privileges.
  • Adds the “_BootUEFI_” account to the Remote Desktop Users group, allowing it to utilize Remote Desktop.
  • Removes the “_BootUEFI_” account from the Users group, ensuring it retains only administrative and remote desktop privileges.
  • Additionally, the batch file makes several registry modifications to enable Remote Desktop and lower its security features. This includes hiding the “_BootUEFI_” user from the login screen and adjusting Terminal Services (Remote Desktop) settings to facilitate easier remote connections without stringent authentication requirements.
  • The batch file runs a PowerShell command that circumvents execution policy restrictions and adds the System32 directory, which contains the three malicious batch files, to the Windows Defender exclusion list.
  • Finally, it initiates a background PowerShell process that downloads and executes another PowerShell script from the remote server (hxxp://157.173.104[.]153/up/a.ps1).

Batch File, Analysis
Figure 18 – Contents of the sysmon.bat file

Sixth Stage – a.ps1

The newly downloaded PowerShell script “a.ps1” functions similar to the first stage script (bb.ps1). It constructs a URL by appending the previously generated UID to the remote server address, forming a request to “hxxp://157.173.104.153/up/get-command.php?uid=<UID>”.

The script then utilizes a WebClient to send a request and retrieve commands from the server. Upon receiving a response, it checks for the presence of the string “autoreconnect id.” If this string is found, the PowerShell script executes the code in the current session using iex; otherwise, it runs the code as a background task in a separate PowerShell process. Notably, in both stages, we did not receive any specific commands such as “autoreconnect” or “autoreconnect id”. The main difference in this sixth-stage script is that it looks for the string “autoreconnect id” instead of just “autoreconnect”. The below image shows the code for reconnecting to the server.

C2, malware
Figure 19 – Reconnecting to the C&C server

Seventh Stage – Server response PowerShell Script

Upon establishing a connection with the server, a new PowerShell script is executed. This script contains several functions aimed at system reconnaissance, data exfiltration, and interaction with the remote server.

The script collects detailed system information, including:

  • Computer name and username.
  • Retrieves recent files from the directory: C:Users<user profile>AppDataRoamingMicrosoftWindowsRecent.
  • Acquires network configuration details using “ipconfig /all”.
  • List of users on the machine (net user).
  • Obtains current logged-in user details.
  • Identifies local user groups associated with the current user.
  • Retrieves excluded directories in Windows Defender.
  • Lists installed antivirus products.
  • Captures running processes using “tasklist”.
  • Gathers overall system information using “systeminfo”.
  • All this data is saved in a log file located at “C:WindowsTempOneDriveLogOneDrive.log”.

The script then reads the contents of the log file, converts the data into a byte array, and encodes it in Base64 format. This encoded data, along with the unique user ID (uid), is appended to the base URL” hxxp://157.173.104[.]153/up/index.php” and sent via a POST request. After successfully transmitting the data, the log file and its directory are deleted to eliminate any traces of the data collection.

POST, Script
Figure 20 – Script partial content for making a POST request

Taking Remote desktop

With all the collected information, User Account Control (UAC) disabled, and a new user account named “BootUEFI” created with administrative privileges, along with lowered authentication requirements for Terminal Services, the TAs can easily gain access to the compromised remote desktop. This access enables them to perform various actions on the victim’s machine, such as:

  • Installing additional malware
  • Exfiltrating sensitive data
  • Monitoring user activity
  • Modifying system settings
  • Utilizing the machine for malicious activities

Additionally, we observed an unwanted application—a hacking tool named ChromePass—associated with the same network infrastructure at “hxxp://157.173.104[.]153/up/Tool/ChromePass.exe” This tool is designed to steal saved passwords from Chromium-based browsers.

Conclusion

Over the past year, this group has executed multiple attacks utilizing various lures and targeting different victims, all while remaining largely unnoticed. Their reliance on basic scripts has enabled TAs to gain remote access to compromised systems seamlessly, allowing for extensive exploitation without triggering alarms.

Additionally, the deployment of the ChromePass tool further underscores the group’s intent to harvest sensitive information, such as saved passwords from Chromium-based browsers, thereby posing a significant threat to the security of individuals and organizations alike. This combination of tactics highlights the need for enhanced detection and prevention measures to combat these stealthy cyber threats effectively.

Recommendations

  • The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
  • Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
  • Consider disabling the execution of shortcut files (.lnk) from email attachments or implementing policies that require explicit user consent before executing such files.
  • Consider disabling or limiting the execution of scripting languages, such as PowerShell and cmd.exe, on user workstations and servers if they are not essential for legitimate purposes.
  • Implement policies that prevent the unauthorized creation of privileged accounts.
  • Regularly track changes to User Account Control (UAC)- related registry keys, such as “EnableLUA” and “ConsentPromptBehaviorAdmin.” Monitoring these keys helps identify potential attempts to bypass UAC, enhancing system protection against unauthorized changes.
  • Strengthen the security of Remote Desktop Protocol (RDP) by enforcing strong authentication mechanisms, such as multi-factor authentication (MFA), and by using network-level authentication (NLA). Limiting RDP access to trusted IP addresses and utilizing VPNs can also help mitigate risks.
  • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) The LNK file may be delivered through phishing or spam emails
Execution (TA0002) User Execution:  Malicious Link (T1204.001)    Command and Scripting Interpreter: PowerShell (T1059.001)   Execution begins when a user executes the LNK file     The LNK file executes PowerShell commands
Defense Evasion (TA0005)  Obfuscated Files or  
Information (T1027)   
Scripts include packed or encrypted data.
Persistence (TA0003) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Adds LNK file in the startup folder
Privilege  
Escalation 
(TA0004) 
Abuse Elevation Control  Mechanism (T1548)    Account Manipulation (T1098) Bypass User Account Control      Manipulate accounts to maintain and/or elevate access to victim systems.
Discovery (TA0007) System Information Discovery (T1082) Script gathers system information.
Credential Access (TA0006) Credentials from Password Stores: Credentials from Web Browsers (T1555.003 Retrieves credentials from web browsers 
C&C 
(TA0011) 
Ingress Tool Transfer 
(T1105
Downloads files from webservers via  
HTTP 
C&C 
(TA0011) 
Application Layer Protocol 
(T1071
Malware exe communicate to C&C server. 

Indicators Of Compromise

Indicators Indicator Type Description
6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72 SHA256 Zip File
18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b SHA256 Malicious LNK file
1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab SHA256 bb.ps1
a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9 SHA256 b.ps1
999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432 SHA256 K1.bat
4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16 SHA256 GooglePass
hxxp://157.173.104[.]153/up/index.php hxxp://157[.]173.104.153/up/b.ps1 hxxp://157.173.104[.]153/up/bb.ps1 hxxp://157.173.104[.]153/up/scheduler-oncex
hxxp://157.173.104[.]153/up/trigger
hxxp://157.173.104[.]153/up/Tool/ChromePass.exe
hxxp://157.173.104[.]153/up/get-command.php
hxxp://157.173.104[.]153/up/bait/202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf
URL Remote server

References

The post HeptaX: Unauthorized RDP Connections for Cyberespionage Operations appeared first on Cyble.