Malicious-File — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/malicious-file/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 17:00:00 +0000Network Connection via Compiled HTML Filehttps://feed.craftedsignal.io/briefs/2024-01-hh-exe-network-connection/Wed, 03 Jan 2024 17:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-hh-exe-network-connection/This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.Adversaries may conceal malicious code in a compiled HTML file (.chm) and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). Attackers can use CHM files to proxy the execution of malicious payloads via a signed binary to bypass security controls, and also to gain initial access to environments via social engineering methods. This rule identifies network connections done by hh.exe, which can potentially indicate abuse to download malicious files or tooling, or masquerading. The detection logic focuses on network connections originating from hh.exe to external IPs, excluding private or reserved IP ranges.

Attack Chain

  1. The user receives a compiled HTML file (.chm), often through social engineering tactics such as phishing.
  2. The user opens the .chm file, which is then executed by the HTML Help executable (hh.exe).
  3. The hh.exe process loads and renders the HTML content within the .chm file.
  4. Embedded within the HTML content is malicious JavaScript or other scripting code.
  5. The malicious script executes, initiating a network connection via hh.exe to an external server.
  6. The external server hosts a malicious payload, such as a reverse shell or an executable file.
  7. Hh.exe downloads the malicious payload to the victim’s machine.
  8. The downloaded payload is executed, granting the attacker initial access or performing other malicious actions like data exfiltration or lateral movement.

Impact

A successful attack can lead to initial access to a victim’s system, potentially bypassing security controls through a signed Microsoft binary. This can result in the download and execution of arbitrary payloads, leading to data exfiltration, lateral movement within the network, or installation of malware. The exploitation can spread rapidly through social engineering, affecting multiple users within an organization. While the severity is rated as medium, the potential for escalation to a critical compromise is high if the attacker gains a foothold in the environment.

Recommendation

  • Enable process and network monitoring on Windows endpoints, focusing on hh.exe activity (Data Source: Elastic Defend, Sysmon, SentinelOne).
  • Deploy the Sigma rule Network Connection via Compiled HTML File to your SIEM and tune for your environment to detect suspicious network connections initiated by hh.exe.
  • Monitor for hh.exe spawning child processes, which could indicate the execution of downloaded payloads. Create a Sigma rule to detect such events.
  • Implement network segmentation to limit the impact of a compromised host and restrict lateral movement.
  • Conduct regular security awareness training to educate users about the risks of opening unsolicited .chm files.
  • Inspect the digital signatures of hh.exe and other system binaries to ensure their integrity and authenticity.
]]>mediumadvisoryexecutiondefense-evasioncommand-and-controlmalicious-filehtml-help