2022-01-18

Web Page Archive Files

Level: 
Tactical
  |  Source: 
NetSkope
Cybersecurity
Share:

Web Page Archive Files

NetSkope Threat Labs has observed the distribution of malicious Microsoft Office documents using Web Page Archive files (“.mht” or “.mhtml”) in recent campaigns that also utilize collaborative programming environment - Glitch for its C2. From past campaigns in the usage of mht and mhtml files, there is a potential link to APT32/OceanLotus. The malicious document contains malicious VBS code with the payload in the web archive and drops a DLL file onto the disk. From there a scheduled task is created, executing every 10 mins masquerading as "Winrar Update." The DLL injects itself into another process and spawns rundll32 to run indefinitely. Lastly, data collected from network reconnaissance is sent to a C2 server hosted on Glithch.

     

Get trending threats published weekly by the Anvilogic team.

Sign Up Now