By Elmer Hernandez, Cofense Phishing Defense Center

With new vulnerabilities come new updates and patches. Organizations have complex environments making it difficult to roll out patches quickly and often find themselves in a race to patch systems before threat actors can exploit them. Attackers are aware of this delayed timing and may try take advantage of this patching cycle time. The Cofense Phishing Defense Center (PDC) has spotted such an attempt, with an email delivering an HTML application (HTA) file attachment being distributed as fake patches for a new vulnerability affecting the Chrome web browser.

The email was received by one of our PDC customers with well-conditioned users who quickly report. It warns the user about a recently reported vulnerability in Google Chrome and a corresponding update for the employee to apply. A web browser like Chrome is a vital everyday tool for employees across several industries, so threat actors urge recipients to apply the update within 48 hours or functionality may cease (Figure 1). However, any seasoned Chrome user knows these updates are available directly within Chrome, and enterprise users know their IT department manages pushing out software updates.

Figure 1 – Email

After clicking, the user arrives at the payload site hxxps://vpnupdate[.]net/chrome[.]html. The page is styled with the well-known Chrome logo and includes a loading GIF to give the impression of a legitimate download (Figure 2). Within a few seconds the browser will download an HTA file called update.hta (Figure 3).

Bubble chart Description automatically generated

Figure 2 – Payload Site

Graphical user interface, application Description automatically generated

Figure 3 – Payload

HTA files are standalone applications, composed of HTML and JavaScript or VBS. However, they are not executed in the context of a web browser, sidestepping any browser-based security measures. Instead, HTA files run using mshta.exe, a legitimate Microsoft binary. Like other utilities often used in living-off-the-land tactics such as PowerShell, mshta.exe is a well-known tool that grants attackers the ability to execute malicious code on the targeted system.

When opening the file, the user discovers that the vulnerability in question is CVE-2021-30554 (Figure 4). This is a recently reported zero-day vulnerability affecting the WebGL API of Chromium, an open-source code base used in some of the most popular web browsers including Chrome and Microsoft Edge. Most importantly, exploits have been confirmed in the wild, making the vulnerability a real danger for unpatched browser versions. It is evident threat actors are up to date with security developments as well as organizations’ efforts to patch vulnerable systems.

Graphical user interface, text, application Description automatically generated

Figure 4 – Update

The application’s UI is similar to that of the payload site, displaying the Chrome logo but, this time, asking the user to click the “Run Update” button. The user eventually gets confirmation that the update has been applied (Figure 5). This user interaction is just for show; a small piece of JavaScript at the end of the file refreshes the UI to give the impression that something happened.

Graphical user interface, text, application, chat or text message Description automatically generated

Figure 5 – Update Applied

The only apparent action of consequence takes place when opening the HTA file, a product of a short VBS script (Figure 6). In essence, the script gathers the username of the current user as well as the name of the system and includes this in a GET HTTP request to hxxp://vpnupdate[.]net/update. However, the page is down (Figure 7).

Text Description automatically generated

Figure 6 – VBS script

Figure 7 – HTTP GET Request

It is unclear if a secondary payload was to be retrieved from the site, or if the threat actors are conducting initial reconnaissance/testing to identify potential victims for a follow-up attack. Whichever the case may be, it’s important to be aware of the varied ways threat actors can get users to execute malicious code in targeted systems. While malicious HTA files are not new, they remain an uncommon tactic that can be used to run any JavaScript or VBS. Be on the lookout for mshta.exe.

How Cofense Can Help

Employee conditioning is key. Cofense PhishMe can help increase threat awareness in your organization through phishing simulation and training programs in order to prepare staff for this, and myriad other threats. When the real thing comes knocking at your users’ inbox, Cofense Reporter empowers employees to put their training to use and become active defenders, sending the threat to your security team, or to us in the Phishing Defense Center for a managed phishing detection and response solution.

Indicators of Compromise

 

hxxps://vpnupdate[.]net/chrome[.]html 35.178.206.100

 

 

File IoC

 

Name update.hta

 

MD5 3c7d740f238f892da4200d9269dd1aca

 

SHA256 c6813d0e87cd871df88a7ab72133ad110784d5fa9dab88d1f9218e83e446e2b0

 

Size 125938 bytes (122K)

 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.