Compiled HTML File
Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX.  CHM content is displayed using underlying components of the Internet Explorer browser  loaded by the HTML Help executable program (hh.exe). 
Adversaries may abuse this technology to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe.  
|Astaroth||Astaroth uses ActiveX objects for file execution and manipulation. |
|Dark Caracal||Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable. |
|Lazarus Group||Lazarus Group has used CHM files to move concealed payloads as part of. |
|OilRig||OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim. |
|Silence||Silence has weaponized CHM files in their phishing campaigns.  |
|Execution Prevention||Consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.|
|Restrict Web-Based Content||Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files.|
Monitor and analyze the execution and arguments of hh.exe.  Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.
Monitor presence and use of CHM files, especially if they are not typically used within an environment.
- Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.
- Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.
- Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.
- Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.
- Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
- GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.