PoC for onMouseMove HTML file used in the Russian APT Group campaign targeting Ukraine
The HTML File is included as an attachment in the phishing email, when the victim opens the html file and moves the mouse, this triggers the event handler attribute “onmousemove” which runs the Javascript, which further decodes the base64 encoded blob present in the HTML Body.
The base64 decoded blob consisting of further javascript routine which checks the Operating System and if this OS check is satisfied it drops the next stage i.e the ZIP archive decoded from another base64 encoded blob.
In the PoC, the ZIP archive has a text file 🙂 but in the ITW campaign it had a malicious Windows Shortcut File (.LNK) inside thr archive which remotely executed a HTA file via mshta.exe.
A Classic Anti-Sandbox Technique =)
Note: I’ve removed the usage of document.onmousemove event handler used in the ITW sample, as it was not necesary, adding the viewport height (100vh) covers the complete browser window.
vArmor is a cloud-native container sandbox system. It leverages Linux's AppArmor LSM, BPF LSM and Seccomp technologies to implement enforcers.…
Explore the cutting-edge framework 'DOLOST,' designed to innovate the field of cyber deception. This tool…
LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming…
GeoServer is an open-source software server written in Java that provides the ability to view,…
It is a Code and Infrastructure (IaC) and Cloud-native Scanning/SAST/Static Analysis/Linting solution using many tools/Scanners…
Scan your source code and infra IaC against top security risks Betterscan is a orchestration toolchain that…