A series of cyberattack stages originating from malicious LNK files has been identified, targeting the healthcare industry.

Upon execution of the LNK file, a PowerShell command is triggered to fetch and execute various additional payloads from a remote server, including BAT files and PowerShell scripts.

Cyble Research and Intelligence Labs (CRIL) informed Cyber Security News that, “The assault entails establishing an administrative account on the victim’s system and modifying Remote Desktop settings to reduce authentication requirements, facilitating unauthorized RDP access for the intruder.”

Insight Into The Multi-stage Cyberattack Campaign

An unidentified group has reemerged consistently over the past year, deploying diverse enticing themes and unaltered attack methodologies.

Dubbed HeptaX, the attack primarily leverages PowerShell and Batch scripts to compromise vulnerable servers.

Attack chain

Initially, the downloaded PowerShell script generates a base URL for downloading additional stage payloads and transmitting data. Its primary function is to obtain the unique identifier (UID) of the compromised system.

Subsequently, the PowerShell script retrieves a password-protected lure document from the remote server and executes it. This script primarily targets assessing the system’s User Account Control (UAC) configurations.

It does so through identical registry checks previously employed to ascertain the active status of UAC and the administrator consent prompt.

Following connection to the server, a fresh PowerShell script is launched, equipped with numerous functionalities for communication with the remote server, data exfiltration, and system reconnaissance.

  • Device name and user ID.
  • Fetching recent files from the directory: C:Users<user profile>AppDataRoamingMicrosoftWindowsRecent.
  • Obtaining network configuration details through “ipconfig /all”.
  • Listing users on the machine (net user).
  • Finding details of the currently logged-in user.
  • Identifying local user groups associated with the current user.
  • Retrieving excluded directories in Windows Defender.
  • Enumerating installed antivirus software.
  • Capturing running processes using “tasklist”.
  • Gathering comprehensive system information with “systeminfo”.
  • All this data is stored in a log file located at “C:WindowsTempOneDriveLogOneDrive.log”.

“With the harvested information, User Account Control (UAC) disabled, and the creation of a new user account named ‘BootUEFI’ with admin privileges, combined with reduced authentication requirements for Terminal Services, infiltrators can easily access the compromised remote desktop,” according to the researchers.

Over the last year, this threat group has been connected to prior campaigns containing corrupt files with titles like:

  • SOW_for_Nevrlate.pdf
  • WebContentWriting_Handout.pdf
  • Blockchain_Trading_Website_Manager.docx
  • Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf
  • Resume – professional sax, keys and guitar player with over 40 years experience working with own bands, accompanied world stars.pdf
  • dropshipping Elien project prposal-soft online service ventilization from xihu.pdf.lnk

One of the notable filenames from this operation is:

  • 202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf.lnk

The diversity in filenames and themes suggests a wide-ranging targeting strategy encompassing various sectors, indicating that this group tailors its endeavors to attract a diverse victim pool.

Suggestions

  • Utilize robust email filtering tools to detect and prevent the spread of harmful attachments.
  • Exercise caution when interacting with links or attachments in emails.
  • Contemplate deactivating the execution of email attachment shortcut files (.lnk).
  • Regularly monitor User Account Control (UAC) alterations.
  • Enhance Remote Desktop Protocol (RDP) security by employing network-level authentication (NLA) and adopting robust authentication methods like multi-factor authentication (MFA).

The article Hackers Downgrading Remote Desktop Security Setting For Unauthorized Access was first published on Cyber Security News.