Common Information
| Type | Value |
|---|---|
| Value |
Compiled HTML File - T1223 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program) Adversaries may abuse this technology to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-21 | 13 | UAC-0020 (Vermin) Activity Detection: A New Phishing Attack Abusing the Topic of Prisoners of War at the Kursk Front and Using FIRMACHAGENT Malware - SOC Prime | ||
| Details | Website | 2023-10-06 | 39 | Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads | ||
| Details | Website | 2023-09-28 | 7 | Anticipating File-Borne Threats: How Deep File Inspection Technology Will Shape the Future of Cyber Defense - InQuest | ||
| Details | Website | 2023-08-07 | 11 | New MerlinAgent Open-Source Tool Used by UAC-0154 Group to Target Ukrainian State Agencies - SOC Prime | ||
| Details | Website | 2023-03-28 | 13 | Tracking the CHM Malware Using EDR - ASEC BLOG | ||
| Details | Website | 2023-03-24 | 36 | Phishing Campaign Targets Chinese Nuclear Energy Industry | ||
| Details | Website | 2022-06-03 | 32 | Monthly Threat Actor Group Intelligence Report, April 2022 (KOR) – Red Alert | ||
| Details | Website | 2022-04-26 | 133 | Lazarus Group APT Targeting South Korean Users | Zscaler | ||
| Details | Website | 2021-01-14 | 663 | Higaisa or Winnti? APT41 backdoors, old and new | ||
| Details | Website | 2019-11-12 | 16 | Hunting for Attacker’s Tactics and Techniques With Prefetch Files |