Help me trojanize you - Microsoft Compiled HTML Help is back for another round
Taking advantage of specific features of well-established and widely used file formats is nothing new for cybercriminals. They also like to repurpose decades old and niche file types as means to deliver malicious payloads. Microsoft's compiled HTML help (CHM) format is as old as Windows 95 OSR 2.5 itself, and Forcepoint X-Labs have recently been tracking low to medium scale campaigns taking advantage of the very nature of the CHM format.
Forcepoint Advanced Classification Engine
Spam campaigns with various archives
In the past few weeks, malicious spam campaigns have surfaced that include attachments of varying archive types. Whilst the archives were mostly either ZIP or RAR format, they have been common in containing only one CHM file inside. One particular campaign targeting approximately 2,500 users in Italy claims to be from Fedlux, a logistics and transportation company, and part of the International Freight Forwarders Association of Italy. The email subject is a price list request, while the message body urges recipients to provide their best prices by opening the attachment.
Why choose the CHM format?
The Italian spam campaign was one of those which used the RAR archive format. To trick some of the less prepared defenses they also picked the R01 file extension instead of the default RAR. Normally such an extension would only be created if the archives were split into smaller parts, this is mostly a legacy feature from a time when transferring content was often on optical media - or worse, floppy disks - instead of high-capacity USB storages. Changing the extension is absolutely transparent from the user's perspective, by double clicking the archive the internal content would be revealed.
The CHM file inside the archive is named similarly to the attachment itself (ST_9019815_203043489019815S_05_02_2021.chm). Upon a closer look, it contains only one HTML page called “ff5df.htm”.
There are two important points of interest here, an embedded PowerShell command - with yet another encoded argument - and a “shortcut.Click()” at the end of the HTML. The Click method is responsible for the automated execution of the PowerShell command in case a less careful hand would simply double click on the CHM file. Another suspicious trait is a quickly opening and disappearing command window right after the CHM was opened. People with good eyes might be even able to spot PowerShell in the title bar.
Stage two: PowerShell
The PowerShell script first initiates an internet connection test by pinging google.com, and if successful, it attempts to download content from a remote location. As the script is also defining it, the retrieved content “Alpha8.jpg” is not actually a valid JPEG image, but a text file utilizing the same hex-based encoding we've witnessed multiple times already.
Stage three: Dotnet
Decoding the downloaded content will reveal yet another PowerShell script, this time with minimalistic scripting functionality and two embedded objects. These two objects are also hex encoded with some additional byte replacements - which don’t make much sense from an obfuscation standpoint. A trained eye can easily see the initial bytes of a portable executable (4D5A).
Once the two objects have been extracted, decoded and decompressed (the second one is actually a GZIP archive and not a PE executable) we are presented with two .NET based applications. The remainder of the PowerShell script is responsible for loading the first dotnet binary by using a function “[YESS]::f77df00sd” which will then act as a loader to enable execution of the second binary - with the help of the RegAsm executable. The final payload executed this way is one of the ever popular infostealer trojans, AgentTesla with exfiltration method configured as over FTP.
Due to weak OPSEC on the side of the cybercriminals, we can also provide some further evidence of recently stolen data by this campaign. Even though these are mostly small-scale campaigns, they are still successful in exfiltrating user credentials from infected PCs.
It’s worth noting that Cisco recently published their analysis of a campaign of which the technical details of delivery are very similar to what I’ve shared here.
When facing decades old file types attached to email messages, we cannot simply assume them to be safe to open. Quite the contrary, extra caution is highly advised. Cybercriminals are known to use whatever works to achieve their aims and leveraging long-forgotten file types may well catch people off guard.
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.
- Stage 5 (Dropper File) – Malicious files are prevented from being downloaded.
- Stage 6 (Call Home) – Attempts to contact C2 servers are blocked.