BleepingComputer reports that threat actors could facilitate covert malicious script execution by using a new variant of the FileFix attack technique, which entails the abuse of browsers' management of saved HTML pages.
Intrusions commence with social engineering schemes aimed at luring targets into saving and renaming an HTML page to .HTA, which would allow automated JavaScript execution without triggering Windows' Mark of the Web defenses, according to cybersecurity researcher mr.d0x, who discovered the attack method. Attackers could also leverage the technique for more potent compromise by using malicious websites that trick users into saving multi-factor authentication codes, said mr.d0x, who noted the potentially increased interaction would not deter potential victims as long as the nefarious websites seem legitimate. With the emergence of such a threat, organizations have been urged to deactivate or erase the 'mshta.exe' binary from C:WindowsSystem32 and C:WindowsSysWOW64; restrict HTML attachments on email; and activate Windows file extension visibility.
Intrusions commence with social engineering schemes aimed at luring targets into saving and renaming an HTML page to .HTA, which would allow automated JavaScript execution without triggering Windows' Mark of the Web defenses, according to cybersecurity researcher mr.d0x, who discovered the attack method. Attackers could also leverage the technique for more potent compromise by using malicious websites that trick users into saving multi-factor authentication codes, said mr.d0x, who noted the potentially increased interaction would not deter potential victims as long as the nefarious websites seem legitimate. With the emergence of such a threat, organizations have been urged to deactivate or erase the 'mshta.exe' binary from C:WindowsSystem32 and C:WindowsSysWOW64; restrict HTML attachments on email; and activate Windows file extension visibility.
