1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. Compiled HTML File

System Binary Proxy Execution: Compiled HTML File

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. [1] CHM content is displayed using underlying components of the Internet Explorer browser [2] loaded by the HTML Help executable program (hh.exe). [3]

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. [4] [5]

ID: T1218.001
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Contributors: Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
Version: 2.2
Created: 23 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0082 APT38

APT38 has used CHM files to move concealed payloads.[6]
G0096 APT41

APT41 used compiled HTML (.chm) files for targeting.[7]

S0373 Astaroth

Astaroth uses ActiveX objects for file execution and manipulation. [8]
G0070 Dark Caracal

Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.[9]
G0049 OilRig

OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.[10]
G0091 Silence

Silence has weaponized CHM files in their phishing campaigns.[11][12][13][14]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
M1021 Restrict Web-Based Content

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files

Detection Strategy

ID Name Analytic ID Analytic Description
DET0342 Detection of Suspicious Compiled HTML File Execution via hh.exe AN0968

Execution of hh.exe to open a .chm file followed by suspicious child processes or script engine invocation (VBScript, JScript, mshta, powershell). Behavior includes loading a CHM file from untrusted locations, or immediately spawning commands indicative of payload execution.

References

  1. Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.
  2. Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.
  3. Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.
  4. Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.
  5. Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.
  6. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.
  7. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  1. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  2. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  3. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  4. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
  5. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  6. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
  7. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.