Full Report
A new FileFix attack allows executing malicious scripts while bypassing the Mark of the Web (MoTW) protection in Windows by exploiting how browsers handle saved HTML webpages. [...]
Analysis Summary
# Tool/Technique: FileFix Attack Variant (JScript Execution via HTML Application)
## Overview
This entry details a specific attack variant leveraging HTML Applications (.HTA files) to execute malicious JScript while attempting to bypass the Windows Mark-of-the-Web (MoTW) alerts, often distributed via social engineering tactics where a user saves a simulated webpage.
## Technical Details
- Type: Technique (Exploitation of file handling and script execution)
- Platform: Windows
- Capabilities: Bypassing MoTW warnings, executing arbitrary JScript code upon file opening.
- First Seen: Implied recent/current threat based on context.
## MITRE ATT&CK Mapping
The primary execution method involves bypassing security features related to downloaded files and executing script content directly.
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (The technique relies on circumventing standard warning mechanisms)
## Functionality
### Core Capabilities
- **MoTW Bypassing:** When an HTML file is saved using the "Webpage, Complete" format (MIME type `text/html`), it reportedly avoids receiving the Mark-of-the-Web (MoTW) tag.
- **Script Execution:** Saving the file with the `.HTA` extension, but utilizing the "Webpage, Complete" save method for the underlying HTML content, allows the embedded malicious script (JScript) to run immediately upon opening the `.HTA` file without displaying security warnings to the user.
- **Social Engineering:** Requires victims to be tricked into saving content from a malicious website (e.g., mimicking an MFA code backup page) and manually renaming the file extension to `.hta`.
### Advanced Features
- The attack specifically leverages the distinct handling of files saved in the "Webpage, Complete" format versus standard web downloads to avoid security alerting mechanisms designed to warn users about potentially dangerous downloaded content.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Targeted files are saved with the extension `.hta` (e.g., `MfaBackupCodes2025.hta`).
- Registry Keys: [Not provided in the context]
- Network Indicators: [Not provided in the context]
- Behavioral Indicators: Execution of JScript content embedded within a locally saved HTA file without user confirmation prompts normally associated with downloaded scripts.
## Associated Threat Actors
- [Not explicitly named in the context, but categorized as a general attack variant.]
## Detection Methods
- Signature-based detection: [Not explicitly detailed, but file hashes or static JScript analysis could be used if available.]
- Behavioral detection: Monitoring for suspicious execution via `mshta.exe` originating from user-writable locations or unusual context.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Disable or Remove `mshta.exe`:** The primary suggested mitigation is disabling or removing the `mshta.exe` binary, located in `C:\Windows\System32` and `C:\Windows\SysWOW64`.
- **Enable File Extension Visibility:** Ensure Windows is configured to always show file extensions to help users identify true file types.
- **Email Gateway Controls:** Block HTML attachments in email transmissions.
- **User Awareness:** Train users regarding the dangers of saving files from untrusted sources, especially when prompted aggressively by a webpage interface.
## Related Tools/Techniques
- Standard HTML Application (`.HTA`) execution methods.
- Exploitation of Windows file handling mechanisms to bypass security tagging (MoTW).