Cofense - Security Awareness Training & Email Threat Detection

HTA Files Distributed as Fake Chrome Patches for CVE-2021-30554

Share This Article

By Elmer Hernandez, Cofense Phishing Defense Center

With new vulnerabilities come new updates and patches. Organizations have complex environments making it difficult to roll out patches quickly and often find themselves in a race to patch systems before threat actors can exploit them. Attackers are aware of this delayed timing and may try take advantage of this patching cycle time. The Cofense Phishing Defense Center (PDC) has spotted such an attempt, with an email delivering an HTML application (HTA) file attachment being distributed as fake patches for a new vulnerability affecting the Chrome web browser.

The email was received by one of our PDC customers with well-conditioned users who quickly report. It warns the user about a recently reported vulnerability in Google Chrome and a corresponding update for the employee to apply. A web browser like Chrome is a vital everyday tool for employees across several industries, so threat actors urge recipients to apply the update within 48 hours or functionality may cease (Figure 1). However, any seasoned Chrome user knows these updates are available directly within Chrome, and enterprise users know their IT department manages pushing out software updates.

Figure 1 – Email

After clicking, the user arrives at the payload site hxxps://vpnupdate[.]net/chrome[.]html. The page is styled with the well-known Chrome logo and includes a loading GIF to give the impression of a legitimate download (Figure 2). Within a few seconds the browser will download an HTA file called update.hta (Figure 3).

Bubble chart Description automatically generated

Figure 2 – Payload Site

Graphical user interface, application Description automatically generated

Figure 3 – Payload

HTA files are standalone applications, composed of HTML and JavaScript or VBS. However, they are not executed in the context of a web browser, sidestepping any browser-based security measures. Instead, HTA files run using mshta.exe, a legitimate Microsoft binary. Like other utilities often used in living-off-the-land tactics such as PowerShell, mshta.exe is a well-known tool that grants attackers the ability to execute malicious code on the targeted system.

When opening the file, the user discovers that the vulnerability in question is CVE-2021-30554 (Figure 4). This is a recently reported zero-day vulnerability affecting the WebGL API of Chromium, an open-source code base used in some of the most popular web browsers including Chrome and Microsoft Edge. Most importantly, exploits have been confirmed in the wild, making the vulnerability a real danger for unpatched browser versions. It is evident threat actors are up to date with security developments as well as organizations’ efforts to patch vulnerable systems.

Graphical user interface, text, application Description automatically generated

Figure 4 – Update

The application’s UI is similar to that of the payload site, displaying the Chrome logo but, this time, asking the user to click the “Run Update” button. The user eventually gets confirmation that the update has been applied (Figure 5). This user interaction is just for show; a small piece of JavaScript at the end of the file refreshes the UI to give the impression that something happened.

Graphical user interface, text, application, chat or text message Description automatically generated

Figure 5 – Update Applied

The only apparent action of consequence takes place when opening the HTA file, a product of a short VBS script (Figure 6). In essence, the script gathers the username of the current user as well as the name of the system and includes this in a GET HTTP request to hxxp://vpnupdate[.]net/update. However, the page is down (Figure 7).

Text Description automatically generated