![]() ![]() The obfuscated PowerShell code is executed in the background when the file is opened. The contents of the r variable show the HTML code to display the decoy message and a command to execute PowerShell. Debugging kkjhk.htm in Chrome Developer Tools. After we have halted execution on our breakpoint we can then view the contents of the r variable and copy that for further analysis. We can use the JavaScript debugger in Chrome Developer Tools to break on the return statement. The code above shows that the result that is returned is stored in the r variable. We can deobfuscate this code by opening the file in Chrome and using the Chrome Developer Tools. The file contains obfuscated JavaScript that is executed when the file is opened. The interesting file is the kkjhk.htm file, which displays the decoy window and executes the code. ![]() The help file can be extracted using 7zip to view the contents. When the victim opens the help file, this apparently innocuous window displays. ![]() The initial attack sent a 7zip compressed file named ORDER OF CONTRACT-pdf.7z, which contained the single malicious compiled HTML help file ORDER OF CONTRACT-pdf.chm (SHA256: 081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa). Indicators of Compromise Malicious Compiled HTML Help File Palo Alto Networks customers are protected from malware families using similar anti-analysis techniques with Cortex XDR or the Next-Generation Firewall with WildFire and Threat Prevention security subscriptions. It does this primarily via keystroke logging, screen capturing, camera recording and accessing sensitive data. Agent Tesla focuses on stealing sensitive information from a victim’s computer and sending that information to the attacker over FTP, SMTP or HTTP. Agent Tesla is well-known malware that has been around for a while. This particular attack chain delivered Agent Tesla as the final payload. Potential victims may have been trained to avoid documents, scripts and executables from unknown senders, but it is important to be careful of almost any filetype. An attempt to bypass security training.An attempt to bypass security products.The attack is interesting because attackers are often looking for creative ways to deliver their payloads. We will then follow the chain of attack through JavaScript and multiple stages of PowerShell and show how to analyze them up to the final payload. We will show how to analyze the malicious compiled HTML help file. This blog describes an attack that Unit 42 observed utilizing malicious compiled HTML help files for the initial delivery. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |