2024-10-25 HeptaX - Unauthorized RDP Connections. Nalicious LNK. > Powershell > Bat files Samples
HeptaX: Unauthorized RDP Connections for Cyberespionage Operations
Summary:
- The attack starts with a malicious LNK file delivered within a ZIP file, likely distributed through phishing emails, and seems to target the healthcare industry.
- Upon execution, the LNK file initiates a PowerShell command that downloads multiple scripts and batch files from a remote server to establish persistence and control over the victim’s system.
- The LNK file, once opened, triggers PowerShell commands that download additional payloads from
hxxp://157.173.104[.]153
. - These scripts enable the attacker to create a new user account with administrative privileges and alter RDP settings, reducing authentication requirements for easier unauthorized access.
- The LNK file, once opened, triggers PowerShell commands that download additional payloads from
- A persistent shortcut (LNK) file is created in the Windows Startup folder to maintain access.
- The primary PowerShell script communicates with the C2 server, constructing URLs with a unique identifier (UID) for the compromised machine to fetch commands or additional payloads.
- If UAC is detected as weak or disabled, the attack proceeds with further stages that lower the system's security configurations.
- A secondary payload, "ChromePass," is introduced, targeting Chromium-based browsers to harvest stored credentials, escalating the risk of compromised accounts.
- Scripts configure the system to facilitate remote desktop access, enabling actions such as data exfiltration, monitoring, and installation of further malware.
- Subsequent batch files (e.g.,
k1.bat
,scheduler-once.bat
) execute commands that hide traces, remove logs, and schedule tasks disguised as system operations to maintain persistence and evade detection. - The final stages involve the execution of a PowerShell script that performs reconnaissance, collects extensive system data, and sends it encoded to the C2 server.
- Subsequent batch files (e.g.,
File Information
- ├── 18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 Google Chrome.lnk
- ├── 1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab bb.ps1
- ├── 4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16 ChromePass.exe
- ├── 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b 202409 Resident Care Quality Improvement Strategies for Nursing Homes Enhancing Patient Satisfaction and Health Outcomes.pdf.lnk
- ├── 6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72.zip
- ├── 999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432 k1.bat
- └── a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9 b.ps1
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.