Cyber security

OnMouseMove-HtmlFile-PoC : Unpacking The HTML File Exploit In Russian APT Cyberattacks

PoC for onMouseMove HTML file used in the Russian APT Group campaign targeting Ukraine

The HTML File is included as an attachment in the phishing email, when the victim opens the html file and moves the mouse, this triggers the event handler attribute “onmousemove” which runs the Javascript, which further decodes the base64 encoded blob present in the HTML Body.

The base64 decoded blob consisting of further javascript routine which checks the Operating System and if this OS check is satisfied it drops the next stage i.e the ZIP archive decoded from another base64 encoded blob.

In the PoC, the ZIP archive has a text file 🙂 but in the ITW campaign it had a malicious Windows Shortcut File (.LNK) inside thr archive which remotely executed a HTA file via mshta.exe.

A Classic Anti-Sandbox Technique =)

Note: I’ve removed the usage of document.onmousemove event handler used in the ITW sample, as it was not necesary, adding the viewport height (100vh) covers the complete browser window.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install MySQL on Ubuntu 20.04: Setup, Security, and Root Access

MySQL is the most popular open-source relational database management system. It is fast, reliable, and a…

3 hours ago

Install Git on Ubuntu 20.04: Apt, Source, and Configuration

Git is the most widely used version control system in the world. It was created by…

3 hours ago

Install Go on Ubuntu 20.04: Download, Setup, and First Program

Go (also called Golang) is an open-source programming language built by Google. It is designed to…

4 hours ago

Install VS Code on Ubuntu 20.04: Snap Package and Apt Guide

Visual Studio Code (VS Code) is an open-source code editor developed by Microsoft. It is one…

4 hours ago

Install Nginx on Ubuntu 20.04: Setup, Firewall, and Config Guide

Nginx (pronounced "engine x") is an open-source, high-performance web server and reverse proxy. It is used…

4 hours ago

Install Apache on Ubuntu 20.04: Setup and Virtual Host Guide

Apache is one of the most widely used open-source web servers in the world. It is…

1 day ago