Saturday, December 7, 2024
HomeCyber Security NewsHackers Downgrading Remote Desktop Security Setting For Unauthorized Access

Hackers Downgrading Remote Desktop Security Setting For Unauthorized Access

Published on

SIEM as a Service

The attackers use a multi-stage attack, starting with a malicious LNK file disguised as a healthcare-related document.

This file, likely sent via phishing emails, triggers PowerShell commands to download and execute additional payloads from a remote server. 

These payloads allow remote access to the system by modifying RDP settings and generating a new administrative account. 

- Advertisement - SIEM as a Service

They also employed “ChromePass” to steal browser passwords. This group has been active since 2023, targeting various sectors with consistent attack techniques despite being publicly documented.

Infection chain
Infection chain

HeptaX has consistently launched targeted phishing campaigns over the past year by employing diverse lure techniques, including blockchain-related documents, job applications, and industry-specific reports, to trick victims into downloading malicious payloads. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

After they have been executed, these payloads use PowerShell and Batch scripts to gain unauthorized access to compromised systems.

 SOW_for_Nevrlate.pdf
 SOW_for_Nevrlate.pdf

The LNK file initiates a PowerShell script that fetches a unique identifier (UID) and establishes a connection to a remote command-and-control (C&C) server. 

It creates a persistent shortcut in the Startup folder, downloads a lure document to distract the user and then assesses the system’s User Account Control (UAC) settings. 

If UAC is disabled or configured insecurely, it downloads and executes a second-stage PowerShell script, which attempts to disable UAC if necessary forcefully and downloads additional batch files for further malicious activity.

Code to download and run batch file
Code to download and run batch file

Initially, a batch script is executed, which copies and renames malicious scripts to system directories, removes existing scheduled tasks, and creates new ones to trigger the next stage. 

Subsequently, it involves creating a new administrative user account with weak credentials, granting it extensive privileges, modifying system settings to facilitate remote access, and downloading and executing additional malicious scripts from a remote server. 

The attacker intends to achieve their goal by establishing persistent backdoor access to the compromised system.

Contents of the sysmon2 file
Contents of the sysmon2 file

The attack progresses through multiple stages, beginning with the initial infection and culminating in remote desktop access.

The malware establishes persistent communication with a C2 server, receives commands, and executes them on the compromised system. 

It collects sensitive system information, including user credentials, network configurations, and installed software.

The attackers then disable UAC, create a new administrative user account, and lower the authentication requirements for remote desktop access.

Script partial content for making a POST request
Script partial content for making a POST request

By exploiting these vulnerabilities, the attackers gain unauthorized access to the victim’s system, enabling them to perform malicious activities, such as data theft, lateral movement, and further compromise.

According to CRIL, the threat group has executed multiple stealthy attacks using basic scripts to gain remote access and deploy tools like ChromePass for data theft by often leveraging spam emails as initial attack vectors. 

To mitigate these threats, organizations should strengthen email security, implement strict access controls, monitor system changes, enhance RDP security, and deploy network-level monitoring to detect and prevent malicious activities.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...