Web Page Archive Files

Industry: N/A | Level: Operational | Source: NetSkope

NetSkope Threat Labs has observed the distribution of malicious Microsoft Office documents using Web Page Archive files (“.mht” or “.mhtml”) in recent campaigns that also utilize collaborative programming environment - Glitch for its C2. From past campaigns in the usage of mht and mhtml files, there is a potential link to APT32/OceanLotus. The malicious document contains malicious VBS code with the payload in the web archive and drops a DLL file onto the disk. From there a scheduled task is created, executing every 10 mins masquerading as "Winrar Update." The DLL injects itself into another process and spawns rundll32 to run indefinitely. Lastly, data collected from network reconnaissance is sent to a C2 server hosted on Glithch.

• Anvilogic Scenario: Malicious Document Delivering Malware
• Anvilogic Use Cases:
• Malicious Document Execution
• Rundll32 Command Line
• Create/Modify Schtasks