Unauthorized RDP Connections For Cyberespionage Operations

SUMMARY :

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative accounts, and alter Remote Desktop settings. The campaign, named 'HeptaX', has been active since 2023, targeting various sectors with consistent techniques. It involves the deployment of ChromePass, a tool for stealing saved passwords from Chromium-based browsers. The attack begins with a ZIP file containing a malicious shortcut, likely distributed via phishing emails, and progresses through multiple stages of payload downloads and executions, ultimately enabling the threat actors to establish remote access for further malicious activities.

OPENCTI LABELS :

powershell,rdp,uac bypass,credential theft,cyberespionage,persistence,multi-stage attack,bat scripts,chromepass


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unauthorized RDP Connections For Cyberespionage Operations