CRIL has come across a multi-stage cyberattack campaign that begins with a ZIP file containing a malicious shortcut file (.lnk). While the source of this ZIP file remains unknown, it is suspected to be disseminated through phishing emails. Based on the LNK file name, it is suspected that this campaign targets the healthcare industry.
Upon execution, the LNK file triggers a PowerShell command that downloads and executes a series of additional payloads, including PowerShell scripts and BAT files, from a remote server. These scripts work in tandem to create a new user account on the compromised system with administrative privileges and modify Terminal Services (RDP) settings, lowering authentication requirements. This setup enables the TAs to easily establish remote desktop access (RDP) to the victim’s system, facilitating further malicious activities such as data exfiltration, the installation of additional malware, or even system monitoring.
Furthermore, CRIL identified the presence of an unwanted application called “ChromePass” within the threat actors’ network infrastructure. This hacking tool is designed to steal saved passwords from Chromium-based browsers, adding another layer of risk for victims by exposing their credentials. The image below illustrates the infection chain.
Based on the information obtained through pivoting, this group has been operational since 2023 and has executed a range of attacks across different sectors, as reflected in the names of the lure files. While the overall attack flow has remained consistent, it is surprising that they are still active using the same techniques. Several researchers have previously identified this campaign [1],[2],[3],[4],[5], with the majority of findings shared by the Malware Hunter Team.
Over the past 12 months, this unidentified group has consistently reemerged with various lure themes while maintaining unchanged attack patterns. Tracked as HeptaX,’ the campaign relies heavily on PowerShell and Batch scripts to gain control over compromised systems. By pivoting the IP address, we uncovered several additional artifacts associated with the same TAs used across different campaigns.
One of the notable files from this campaign is:
In addition, older campaigns attributed to this threat group over the past year include malicious files with names such as:
The diversity in file names and themes suggests that this group tailors its campaigns to appeal to a variety of victims, indicating a broad targeting strategy across multiple industries.
Upon execution, the LNK file runs a PowerShell command that downloads and executes subsequent payloads from a remote server. The image below shows a partially de-obfuscated PowerShell command.
First stage – bb.ps1
As an initial step, the downloaded PowerShell script constructs a base URL to which it sends information and from which it downloads other stage payloads. The PowerShell script contains multiple functions, the first of which retrieves a unique identifier (UID) for the compromised system. This UID is obtained either from a specific registry path (HKEY_LOCAL_MACHINE\SOFTWARE\Wireless) or from a log file (id.log) in the “C:\Users\Public\Documents” directory. If neither exists, a new GUID is generated and saved to a newly created id.log file.
Next, the PowerShell script creates a shortcut file in the Windows Startup folder for persistence. The contents of the newly generated LNK file match those of the original malicious LNK file. The image below shows the function responsible for creating the new LNK file in the startup folder.
Then, the PowerShell script constructs a URL by appending the previously generated UID to the remote server, forming the request hxxp://157.173.104.153/up/get-command.php?uid=<UID>, and uses WebClient to send a request to fetch commands from the server. Upon receiving a successful response, it checks whether the response contains the string “autoreconnect”. If this string is present, the Powershell script runs the code in the current session using `iex`; otherwise, it executes the code as a background task in a separate PowerShell process.
Afterward, the PowerShell script downloads a password-protected lure document from the above-mentioned remote server, saves it in the system’s temporary directory “C:\Users\<Username>\AppData\Local\Temp”, and then launches the document. The image below displays the function code and the open directory containing the lure PDF.
Finally, the PowerShell script retrieves two registry values related to User Account Control (UAC):
If either of these values is 0, suggesting that UAC is either disabled or configured to a less secure setting, the script proceeds to download and execute another PowerShell script (b.ps1) from the remote server.
Second Stage – b.ps1
The newly downloaded second-stage PowerShell script includes several functions, some mirroring those from the first stage. The primary function of this script is focused on evaluating the system’s User Account Control (UAC) settings, utilizing the same registry checks employed earlier to determine whether UAC is enabled and if the consent prompt for administrators remains active.
If UAC is disabled or the consent prompt behavior is configured to a less secure state, the function sends a message to the remote server indicating that UAC is off by default: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC off in default!”).
If both settings are enabled, the function enters a loop, repeatedly attempting to disable UAC by setting the “ConsentPromptBehaviorAdmin” value to 0. Once successful, it sends a message to the remote server stating that UAC has been forcefully disabled: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC force disabled!”). The below image shows the function code responsible for sending a POST request to the remote server, transmitting information about the victim’s User Account Control (UAC) status.
After a brief 300-millisecond sleep, the PowerShell script calls the schReg() function, which downloads three batch files from the remote server into the system’s temporary directory ($env:TEMP). The files are named “k1.bat,” “scheduler-once.bat,” and “k2.bat.” After downloading, the script runs the “scheduler-once.bat” file using the “Start-Process” cmdlet with elevated privileges. The image below shows the code responsible for downloading and executing the batch files.
Third Stage – scheduler-once.bat
The executed batch file copies “k1.bat” and “k2.bat” from the %temp% directory to “C:\Windows\System32”, renaming them to “sysmon.bat” and “sysmon2.bat”. It then deletes the original “k1.bat” and “k2.bat” files from the temp location. Next, the batch file checks for and removes any scheduled tasks named:
Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection 1219-LM” to run “sysmon2.bat”. Finally, the script “scheduler-once.bat” deletes itself to cover its traces from the system. The image below displays the contents of the batch file “scheduler-once.bat”.
Fourth Stage – sysmon2.bat
Once the scheduled task is triggered to execute the “sysmon2.bat” file, it first checks for and removes any existing scheduled tasks named:
Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection1219-LM2” to run the “sysmon.bat” file located in the “C:Windows\System32” folder. Notably, the previous third-stage batch file performs similar checks, but the task names differ slightly. The image below shows the content of the “sysmon2.bat” file.
Fifth Stage – Sysmon.bat
The sysmon.bat script executes a series of actions:
Sixth Stage – a.ps1
The newly downloaded PowerShell script “a.ps1” functions similar to the first stage script (bb.ps1). It constructs a URL by appending the previously generated UID to the remote server address, forming a request to “hxxp://157.173.104.153/up/get-command.php?uid=<UID>”.
The script then utilizes a WebClient to send a request and retrieve commands from the server. Upon receiving a response, it checks for the presence of the string “autoreconnect id.” If this string is found, the PowerShell script executes the code in the current session using iex; otherwise, it runs the code as a background task in a separate PowerShell process. Notably, in both stages, we did not receive any specific commands such as “autoreconnect” or “autoreconnect id”. The main difference in this sixth-stage script is that it looks for the string “autoreconnect id” instead of just “autoreconnect”. The below image shows the code for reconnecting to the server.
Seventh Stage – Server response PowerShell Script
Upon establishing a connection with the server, a new PowerShell script is executed. This script contains several functions aimed at system reconnaissance, data exfiltration, and interaction with the remote server.
The script collects detailed system information, including:
The script then reads the contents of the log file, converts the data into a byte array, and encodes it in Base64 format. This encoded data, along with the unique user ID (uid), is appended to the base URL” hxxp://157.173.104[.]153/up/index.php” and sent via a POST request. After successfully transmitting the data, the log file and its directory are deleted to eliminate any traces of the data collection.
Taking Remote desktop
With all the collected information, User Account Control (UAC) disabled, and a new user account named “BootUEFI” created with administrative privileges, along with lowered authentication requirements for Terminal Services, the TAs can easily gain access to the compromised remote desktop. This access enables them to perform various actions on the victim’s machine, such as:
Additionally, we observed an unwanted application—a hacking tool named ChromePass—associated with the same network infrastructure at “hxxp://157.173.104[.]153/up/Tool/ChromePass.exe” This tool is designed to steal saved passwords from Chromium-based browsers.
Over the past year, this group has executed multiple attacks utilizing various lures and targeting different victims, all while remaining largely unnoticed. Their reliance on basic scripts has enabled TAs to gain remote access to compromised systems seamlessly, allowing for extensive exploitation without triggering alarms.
Additionally, the deployment of the ChromePass tool further underscores the group’s intent to harvest sensitive information, such as saved passwords from Chromium-based browsers, thereby posing a significant threat to the security of individuals and organizations alike. This combination of tactics highlights the need for enhanced detection and prevention measures to combat these stealthy cyber threats effectively.
Tactic | Technique | Procedure |
Initial Access (TA0001) | Phishing (T1566) | The LNK file may be delivered through phishing or spam emails |
Execution (TA0002) | User Execution: Malicious Link (T1204.001) Command and Scripting Interpreter: PowerShell (T1059.001) | Execution begins when a user executes the LNK file The LNK file executes PowerShell commands |
Defense Evasion (TA0005) | Obfuscated Files or Information (T1027) | Scripts include packed or encrypted data. |
Persistence (TA0003) | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) | Adds LNK file in the startup folder |
Privilege Escalation (TA0004) | Abuse Elevation Control Mechanism (T1548) Account Manipulation (T1098) | Bypass User Account Control Manipulate accounts to maintain and/or elevate access to victim systems. |
Discovery (TA0007) | System Information Discovery (T1082) | Script gathers system information. |
Credential Access (TA0006) | Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | Retrieves credentials from web browsers |
C&C (TA0011) | Ingress Tool Transfer (T1105) | Downloads files from webservers via HTTP |
C&C (TA0011) | Application Layer Protocol (T1071) | Malware exe communicate to C&C server. |
Indicators | Indicator Type | Description |
6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72 | SHA256 | Zip File |
18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b | SHA256 | Malicious LNK file |
1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab | SHA256 | bb.ps1 |
a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9 | SHA256 | b.ps1 |
999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432 | SHA256 | K1.bat |
4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16 | SHA256 | GooglePass |
hxxp://157.173.104[.]153/up/index.php hxxp://157[.]173.104.153/up/b.ps1 hxxp://157.173.104[.]153/up/bb.ps1 hxxp://157.173.104[.]153/up/scheduler-oncex hxxp://157.173.104[.]153/up/trigger hxxp://157.173.104[.]153/up/Tool/ChromePass.exe hxxp://157.173.104[.]153/up/get-command.php hxxp://157.173.104[.]153/up/bait/202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf | URL | Remote server |
https://twitter.com/malwrhunterteam/status/1701669714244542758
https://twitter.com/AzakaSekai_/status/1846482785009348692
https://twitter.com/fmc_nan/status/1701427951714345296
https://twitter.com/malwrhunterteam/status/1708219656488571188
https://twitter.com/malwrhunterteam/status/1701672325580550176