Compiled HTML File

Information

• Name: Masquerade File Type

• ID: T1036.008

• Tactics: TA0005

• Technique: T1036

Introduction

Compiled HTML File (T1036.008) is a sub-technique under the MITRE ATT&CK framework's Masquerading (T1036) technique category. Attackers leverage compiled HTML (.chm) files, typically used for help documentation in Windows environments, to disguise malicious payloads and execute arbitrary code. This method exploits the trust users and systems place in standard help documentation formats, allowing attackers to bypass security controls and execute malicious code under the guise of legitimate files.

Deep Dive Into Technique

Compiled HTML (CHM) files are compressed archives primarily used by Windows to store help documentation. These files contain HTML pages, scripts, images, and other resources. Attackers abuse CHM files because they can embed malicious scripts or payloads directly within these files, making them effective vectors for malware delivery and execution.

Technical details include:

• Attackers embed malicious JavaScript or VBScript within the CHM file.

• The CHM file is often delivered via phishing emails, malicious websites, or embedded in software downloads.

• Upon user interaction—usually opening the CHM file—the embedded scripts execute automatically due to the trusted nature of CHM files in Windows.

• Malicious scripts within CHM files can download and execute additional payloads, establish persistence, or conduct reconnaissance.

Real-world procedures used:

• Crafting CHM files with embedded malicious scripts using publicly available tools or custom scripts.

• Obfuscating embedded scripts to evade antivirus and endpoint detection solutions.

• Employing social engineering techniques to entice users to open these seemingly benign help files.

When this Technique is Usually Used

Attackers typically use Compiled HTML Files (T1036.008) in various attack scenarios and stages, including:

• Initial Access Stage:

  • Phishing campaigns targeting end-users with malicious CHM files disguised as legitimate help documents.

  • Malicious email attachments masquerading as legitimate documentation or support files.

• Execution Stage:

  • Triggering embedded scripts to download and execute secondary payloads, such as malware or ransomware.

  • Establishing a foothold on victim systems by executing scripts that initiate further exploitation activities.

• Defense Evasion Stage:

  • Masquerading malicious payloads within legitimate-looking CHM files to bypass antivirus and endpoint protection solutions.

  • Evading sandbox analysis by embedding scripts that detect virtualized environments before execution.

How this Technique is Usually Detected

Detection methods and tools for identifying malicious Compiled HTML Files include:

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring unusual execution patterns involving hh.exe (the default CHM file handler on Windows systems).

  • Detecting anomalous script execution originating from CHM files.

• Network Monitoring and IDS/IPS:

  • Identifying network traffic initiated by CHM file execution, particularly unexpected outbound HTTP/HTTPS connections to suspicious domains or IP addresses.

• Email Gateway Scanning:

  • Inspecting email attachments for malicious CHM files and blocking or quarantining suspicious emails.

• Behavioral Analysis and Sandboxing:

  • Analyzing CHM files in sandbox environments to detect malicious scripting activities or payload downloads.

  • Detecting attempts by CHM files to execute commands or scripts that are not typical for standard help documentation.

• Specific Indicators of Compromise (IoCs):

  • Suspicious CHM files with unusual scripting content.

  • Unexpected execution of hh.exe processes initiating outbound connections.

  • CHM files delivered from unknown or suspicious senders, especially via email.

Why it is Important to Detect This Technique

Detecting Compiled HTML File exploitation is critical due to the following impacts and risks:

• Initial Compromise: Malicious CHM files can serve as entry points for attackers, enabling initial access and foothold establishment in enterprise environments.

• Malware Delivery: Attackers frequently use CHM files to deliver secondary payloads, including ransomware, remote access trojans (RATs), or other sophisticated malware.

• Persistence and Escalation: Malicious CHM files can execute scripts that establish persistent access, escalate privileges, or facilitate lateral movement.

• Data Exfiltration: Attackers can utilize malicious CHM files to initiate data theft or exfiltration activities by downloading additional tools and scripts.

• Bypassing Security Measures: CHM files are often considered trusted file formats, which attackers exploit to bypass traditional security controls and antivirus solutions.

Early detection and response to this technique significantly reduce the risk of extensive compromise, data loss, and operational disruption.

Examples

Real-world examples demonstrating the use of malicious Compiled HTML Files include:

• APT Actors Using CHM Files:

  • Advanced Persistent Threat (APT) groups have historically leveraged CHM files in spear-phishing campaigns targeting government and corporate entities. For example, APT41 has used malicious CHM files to deliver payloads and establish initial access.

• Phishing Campaigns:

  • Cybercriminals frequently distribute malicious CHM files via phishing emails, disguised as invoices, technical support documents, or product manuals. Upon opening, these files download and execute malware payloads.

• Malware Families Leveraging CHM Files:

  • The Dridex banking trojan has been distributed through malicious CHM files embedded in phishing emails. Once executed, the CHM file downloads and installs the Dridex payload, resulting in credential theft and financial losses.

  • The Trickbot malware has also utilized CHM files as initial infection vectors, leading to subsequent ransomware deployments.

• Tools and Techniques:

  • Attackers commonly use publicly available tools such as HTML Help Workshop or custom scripts to create malicious CHM files.

  • Embedded scripts within CHM files often employ obfuscation techniques to evade detection, making analysis and detection more challenging.

These examples highlight the importance of vigilance, user awareness training, and robust detection mechanisms to mitigate risks associated with this sub-technique.