Cyble’s CRIL identifies HeptaX, a multi-stage campaign that uses phishing-linked LNKs, PowerShell and BAT scripts, and RDP manipulation to gain and maintain access while harvesting credentials with ChromePass. The operation, active since 2023 and targeting healthcare and other sectors, underscores the need for stronger email defenses, UAC monitoring, and hardened RDP controls. #HeptaX #ChromePass
Keypoints
- The HeptaX campaign is carried by malicious LNK files distributed via phishing emails.
- PowerShell and BAT scripts are used to download and execute additional payloads.
- The attackers create an administrative account and modify Remote Desktop settings to ease unauthorized access.
- ChromePass is deployed to harvest saved passwords from Chromium-based browsers.
- The group has been active since 2023, targeting multiple sectors with a notable healthcare focus.
- Recommendations include stronger email filtering, monitoring UAC-related registry keys, and hardening RDP security.
MITRE Techniques
- [T1566] Phishing – The LNK file may be delivered through phishing or spam emails. ‘The LNK file may be delivered through phishing or spam emails.’
- [T1204.001] User Execution: Malicious Link – Execution begins when a user executes the LNK file. ‘Execution begins when a user executes the LNK file.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – The LNK file executes PowerShell commands. ‘The LNK file executes PowerShell commands.’
- [T1027] Obfuscated Files or Information – Scripts include packed or encrypted data. ‘Scripts include packed or encrypted data.’
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Adds LNK file in the startup folder. ‘Adds LNK file in the startup folder.’
- [T1548] Abuse Elevation Control Mechanism – Bypass User Account Control. ‘Bypass User Account Control.’
- [T1098] Account Manipulation – Manipulate accounts to maintain and/or elevate access to victim systems. ‘Manipulate accounts to maintain and/or elevate access to victim systems.’
- [T1082] System Information Discovery – Script gathers system information. ‘Script gathers system information.’
- [T1555.003] Credentials from Web Browsers – Retrieves credentials from web browsers. ‘Retrieves credentials from web browsers.’
- [T1105] Ingress Tool Transfer – Downloads files from webservers via HTTP. ‘Downloads files from webservers via HTTP.’
- [T1071] Application Layer Protocol – Malware exe communicates to C&C server. ‘Malware exe communicates to C&C server.’
Indicators of Compromise
- [SHA256] Zip File – 6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72 – Context: Zip file delivering initial payload.
- [SHA256] 18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 – Context: Malicious LNK file.
- [SHA256] 1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab – Context: bb.ps1 (first-stage script).
- [SHA256] a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9 – Context: b.ps1 (second-stage script).
- [SHA256] 999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432 – Context: K1.bat (batch payload).
- [SHA256] 4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16 – Context: GooglePass (ChromePass-related tool).
- [URL] hxxp://157.173.104[.]153/up/index.php – Context: Remote C2 server used by initial command fetch.
- [URL] hxxp://157.173.104[.]153/up/bb.ps1 – Context: Stage payload retrieval via URL.
- [URL] hxxp://157.173.104[.]153/up/get-command.php – Context: Command fetch from C2 server.
- [URL] hxxp://157.173.104[.]153/up/Tool/ChromePass.exe – Context: ChromePass credential-stealer tool download.
- [URL] hxxp://157.173.104[.]153/up/bait/202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf – Context: lure document.
Read more: https://cyble.com/blog/heptax-unauthorized-rdp-connections-for-cyberespionage-operations/