Compiled HTML File (T1218.001)

Compiled HTML File [T1218.001]

Information

Name: Compiled HTML File
ID: T1218.001
Tactics:
Technique:

Introduction

Compiled HTML File () is a sub-technique under the "Signed Binary Proxy Execution" category within the MITRE ATT&CK framework. Attackers leverage this sub-technique by abusing legitimate Windows HTML Help files (.chm) to execute malicious payloads. Compiled HTML Help files are trusted by default within Windows environments, allowing adversaries to bypass application control mechanisms and execute arbitrary code without raising immediate suspicion.

Deep Dive Into Technique

Compiled HTML Help files (.chm) are Microsoft proprietary file formats used to deliver help documentation in Windows applications. These files contain HTML documents, scripts (such as JavaScript or VBScript), and embedded objects compiled into a single compressed archive. Attackers exploit this functionality as follows:

Execution Method:
- Malicious actors embed scripts or executable payloads within the CHM file.
- Upon opening the CHM file, embedded scripts execute automatically, leveraging the built-in Windows HTML Help Viewer (hh.exe).
Mechanisms:
- CHM files can execute embedded scripts via ActiveX controls or JavaScript.
- Attackers commonly use HTML Application (HTA) or VBScript payloads embedded in CHM files to execute malicious code.
- CHM files can also reference external resources, allowing attackers to download and execute additional payloads from remote servers.
Real-World Procedures:
- Attackers often distribute malicious CHM files via phishing emails, social engineering tactics, or through compromised websites.
- Malicious CHM files can appear legitimate and may masquerade as software documentation, help guides, or technical manuals.
- Adversaries frequently combine CHM file abuse with other techniques, such as obfuscation, encoding, or encryption, to evade detection.

When this Technique is Usually Used

Attackers typically employ the Compiled HTML File technique at various stages of the cyber kill chain, primarily focusing on initial access, execution, and defense evasion:

Initial Access:
- Delivery via spear-phishing emails containing malicious CHM attachments.
- Distribution through malicious websites or compromised legitimate websites hosting malicious CHM files.
Execution:
- Execution of embedded scripts or payloads immediately upon opening the CHM file.
- Initiating remote downloads and execution of secondary payloads.
Defense Evasion:
- Utilizing legitimate Windows binaries (hh.exe) and trusted file formats (.chm) to bypass security controls and evade application whitelisting or blacklisting.
- Leveraging built-in Windows functionality reduces the likelihood of detection by endpoint security tools.

How this Technique is Usually Detected

Detection of malicious CHM file usage requires a combination of endpoint monitoring, behavioral analysis, and network-based detection methods:

Endpoint Detection:
- Monitoring process execution for unusual invocation of hh.exe with suspicious parameters.
- Analyzing file metadata and CHM file headers for anomalies or suspicious embedded scripts.
- Identifying unusual CHM file execution locations (e.g., temporary directories, user downloads folder).
Behavioral Analysis:
- Detecting abnormal scripting activity (JavaScript, VBScript, or ActiveX) triggered by CHM files.
- Monitoring for suspicious child processes spawned by hh.exe, such as cmd.exe, powershell.exe, mshta.exe, or wscript.exe.
- Using Endpoint Detection and Response (EDR) solutions to detect abnormal behavior patterns associated with CHM file usage.
Network Detection:
- Analyzing network traffic for unusual outbound connections initiated by CHM files downloading secondary payloads.
- Identifying suspicious domains or IP addresses contacted shortly after CHM execution.
Indicators of Compromise (IoCs):
- Suspicious CHM file hashes, filenames, or metadata observed in threat intelligence feeds.
- Unusual hh.exe command-line arguments or execution contexts.
- Suspicious registry modifications or file creations triggered by CHM execution.
- Network IoCs such as domain names or IP addresses associated with known malicious CHM campaigns.

Why it is Important to Detect This Technique

Detecting malicious usage of CHM files is critical due to the significant potential impacts and risks posed to organizations:

Bypassing Security Controls:
- CHM files are trusted by default in Windows environments, allowing attackers to bypass traditional security defenses such as application whitelisting and antivirus solutions.
- Early detection prevents adversaries from leveraging trusted binaries and file types to execute malicious activities unnoticed.
Initial Infection Vector:
- CHM files are frequently used as an initial entry point, enabling attackers to establish persistence and escalate privileges within compromised systems.
- Detecting and blocking malicious CHM files at the earliest stages prevents further compromise and lateral movement.
Potential Impacts:
- Successful execution of malicious CHM files can lead to malware infections, data exfiltration, ransomware deployment, credential theft, and unauthorized remote access.
- Early detection significantly reduces the risk of severe damage, data loss, financial impacts, and reputational harm.
Visibility and Response:
- Timely detection provides incident response teams with crucial visibility into attacker activities, enabling rapid containment and eradication.
- Identifying malicious CHM file usage can help security teams strengthen defenses, enhance security policies, and improve user awareness training.

Examples

Real-world cases involving Compiled HTML File abuse illustrate the practical application and impact of this sub-technique:

APT41 (Winnti Group):
- Attack Scenario: APT41 utilized malicious CHM files delivered via targeted spear-phishing emails to gain initial footholds in victim organizations.
- Tools Used: Malicious CHM files embedded with JavaScript or VBScript payloads, leveraging hh.exe to execute commands and download additional malware.
- Impacts: Successful compromise allowed attackers persistent access, data exfiltration, and espionage activities targeting sensitive intellectual property.
Emotet Malware Campaigns:
- Attack Scenario: Emotet operators distributed malicious CHM files via mass phishing campaigns, masquerading as invoices, shipping notifications, or financial documents.
- Tools Used: Malicious CHM files containing embedded scripts designed to download and execute Emotet payloads from remote servers.
- Impacts: Wide-scale infections resulting in credential theft, lateral movement, ransomware deployment (e.g., Ryuk), and significant operational disruptions.
TA505 Threat Actor:
- Attack Scenario: TA505 leveraged CHM files as initial infection vectors, delivered through targeted phishing emails to financial institutions and enterprises.
- Tools Used: CHM files embedded with scripts triggering downloads of secondary payloads such as FlawedAmmyy RAT or SDBbot.
- Impacts: Successful infections led to unauthorized access, data exfiltration, financial fraud, and persistent footholds within compromised organizations.

These examples highlight the versatility, effectiveness, and real-world risks associated with malicious CHM file usage, underscoring the importance of robust detection, prevention, and response strategies.

Last updated 8 hours ago

Introduction

Deep Dive Into Technique

Execution Method:

Malicious actors embed scripts or executable payloads within the CHM file.
Upon opening the CHM file, embedded scripts execute automatically, leveraging the built-in Windows HTML Help Viewer (hh.exe).

Mechanisms:

CHM files can execute embedded scripts via ActiveX controls or JavaScript.
Attackers commonly use HTML Application (HTA) or VBScript payloads embedded in CHM files to execute malicious code.
CHM files can also reference external resources, allowing attackers to download and execute additional payloads from remote servers.

Real-World Procedures:

Attackers often distribute malicious CHM files via phishing emails, social engineering tactics, or through compromised websites.
Malicious CHM files can appear legitimate and may masquerade as software documentation, help guides, or technical manuals.
Adversaries frequently combine CHM file abuse with other techniques, such as obfuscation, encoding, or encryption, to evade detection.

When this Technique is Usually Used

Attackers typically employ the Compiled HTML File technique at various stages of the cyber kill chain, primarily focusing on initial access, execution, and defense evasion:

Initial Access:

Delivery via spear-phishing emails containing malicious CHM attachments.
Distribution through malicious websites or compromised legitimate websites hosting malicious CHM files.

Execution:

Execution of embedded scripts or payloads immediately upon opening the CHM file.
Initiating remote downloads and execution of secondary payloads.

Defense Evasion:

Utilizing legitimate Windows binaries (hh.exe) and trusted file formats (.chm) to bypass security controls and evade application whitelisting or blacklisting.
Leveraging built-in Windows functionality reduces the likelihood of detection by endpoint security tools.

How this Technique is Usually Detected

Detection of malicious CHM file usage requires a combination of endpoint monitoring, behavioral analysis, and network-based detection methods:

Endpoint Detection:

Monitoring process execution for unusual invocation of hh.exe with suspicious parameters.
Analyzing file metadata and CHM file headers for anomalies or suspicious embedded scripts.
Identifying unusual CHM file execution locations (e.g., temporary directories, user downloads folder).

Behavioral Analysis:

Detecting abnormal scripting activity (JavaScript, VBScript, or ActiveX) triggered by CHM files.
Monitoring for suspicious child processes spawned by hh.exe, such as cmd.exe, powershell.exe, mshta.exe, or wscript.exe.
Using Endpoint Detection and Response (EDR) solutions to detect abnormal behavior patterns associated with CHM file usage.

Network Detection:

Analyzing network traffic for unusual outbound connections initiated by CHM files downloading secondary payloads.
Identifying suspicious domains or IP addresses contacted shortly after CHM execution.

Indicators of Compromise (IoCs):

Suspicious CHM file hashes, filenames, or metadata observed in threat intelligence feeds.
Unusual hh.exe command-line arguments or execution contexts.
Suspicious registry modifications or file creations triggered by CHM execution.
Network IoCs such as domain names or IP addresses associated with known malicious CHM campaigns.

Why it is Important to Detect This Technique

Detecting malicious usage of CHM files is critical due to the significant potential impacts and risks posed to organizations:

Bypassing Security Controls:

CHM files are trusted by default in Windows environments, allowing attackers to bypass traditional security defenses such as application whitelisting and antivirus solutions.
Early detection prevents adversaries from leveraging trusted binaries and file types to execute malicious activities unnoticed.

Initial Infection Vector:

CHM files are frequently used as an initial entry point, enabling attackers to establish persistence and escalate privileges within compromised systems.
Detecting and blocking malicious CHM files at the earliest stages prevents further compromise and lateral movement.

Potential Impacts:

Successful execution of malicious CHM files can lead to malware infections, data exfiltration, ransomware deployment, credential theft, and unauthorized remote access.
Early detection significantly reduces the risk of severe damage, data loss, financial impacts, and reputational harm.

Visibility and Response:

Timely detection provides incident response teams with crucial visibility into attacker activities, enabling rapid containment and eradication.
Identifying malicious CHM file usage can help security teams strengthen defenses, enhance security policies, and improve user awareness training.

Examples

Real-world cases involving Compiled HTML File abuse illustrate the practical application and impact of this sub-technique:

APT41 (Winnti Group):

Attack Scenario: APT41 utilized malicious CHM files delivered via targeted spear-phishing emails to gain initial footholds in victim organizations.
Tools Used: Malicious CHM files embedded with JavaScript or VBScript payloads, leveraging hh.exe to execute commands and download additional malware.
Impacts: Successful compromise allowed attackers persistent access, data exfiltration, and espionage activities targeting sensitive intellectual property.

Emotet Malware Campaigns:

Attack Scenario: Emotet operators distributed malicious CHM files via mass phishing campaigns, masquerading as invoices, shipping notifications, or financial documents.
Tools Used: Malicious CHM files containing embedded scripts designed to download and execute Emotet payloads from remote servers.
Impacts: Wide-scale infections resulting in credential theft, lateral movement, ransomware deployment (e.g., Ryuk), and significant operational disruptions.

TA505 Threat Actor:

Attack Scenario: TA505 leveraged CHM files as initial infection vectors, delivered through targeted phishing emails to financial institutions and enterprises.
Tools Used: CHM files embedded with scripts triggering downloads of secondary payloads such as FlawedAmmyy RAT or SDBbot.
Impacts: Successful infections led to unauthorized access, data exfiltration, financial fraud, and persistent footholds within compromised organizations.