Security News New FileFix attack runs JScript while bypassing Windows MoTW alerts

[Parkinsond]

Content source

https://www.bleepingcomputer.com/news/security/new-filefix-attack-runs-jscript-while-bypassing-windows-motw-alerts/

The attack involves a phishing page to trick the victim into copying a malicious PowerShell command. Once they past it into File Explorer, Windows executes the PowerShell, making it a very subtle attack.

With the new FileFix attack, an attacker would use social engineering to trick the user into saving an HTML page (using Ctrl+S) and renaming it to .HTA, which auto-executes embedded JScript via mshta.exe.

HTML Applications (.HTA) are considered legacy technology. This Windows file type can be used to execute HTML and scripting content using the legitimate mshta.exe in the context of the current user.

The researcher found that when HTML files are saved as "Webpage, Complete" (with MIME type text/html), they do not receive the MoTW tag, allowing script execution without warnings for the user.

When the victim opens the .HTA file, the embedded malicious script runs immediately without any warning.

 

[Victor M]

Tip: Use SRP (software restriction policy) to ban mshta.exe. Nobody uses it anymore. Same goes for cscript.exe. MS keeps old (vulnerable and mis-usable) things around to let people 'prolong their IT investments'. ChatGPT says it first appeared in 1999. (Win 98)

Andy Ful said:
The Kanthak correction to restore SRP functionality on Windows 11 ver.
22H2, works only when Smart App Control is OFF. If it is in Evaluate or ON
mode, then the invalid registry values are automatically restored after
restarting Windows.
To restore SRP on all SAC modes, one should not delete registry values but
simply set the "RuleCount" value to 0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000000

 

[Parkinsond]

Tip: Use SRP (software restriction policy) to ban mshta.exe. Nobody uses it anymore. Same goes for cscript.exe. MS keeps old (vulnerable and mis-usable) things around to let people 'prolong their IT investments'. ChatGPT says it first appeared in 1999. (Win 98)

Andy Ful said:
The Kanthak correction to restore SRP functionality on Windows 11 ver.
22H2, works only when Smart App Control is OFF. If it is in Evaluate or ON
mode, then the invalid registry values are automatically restored after
restarting Windows.
To restore SRP on all SAC modes, one should not delete registry values but
simply set the "RuleCount" value to 0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000000

I downloaded a full web page and found it really has no motw; does using rub-by-smartscreen adds the motw and solve such situation?

 

[Andy Ful]

I downloaded a full web page and found it really has no motw; does using rub-by-smartscreen adds the motw and solve such situation?

The HTA files (and many others) are blocked with an alert when run via "Run by SmartScreen":

 

[Andy Ful]

Tip: Use SRP (software restriction policy) to ban mshta.exe. Nobody uses it anymore.

SRP is still used on Windows Server editions. It is not so popular on Windows 11 because, from version 24H2, SRP is turned off by default (can be activated).
SRP is deprecated on Windows 10+ because there are new solutions available in Windows Pro and Enterprise editions (AppLocker and WDAC). But SRP is fully functional on all Windows versions:

New and changed functionality​

There are no changes in functionality for Software Restriction Policies.

Removed or deprecated functionality​

There is no removed or deprecated functionality for Software Restriction Policies.

Software Restriction Policies

Learn about Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8 and find links to technical information about SRP beginning with Windows Server 2003.

learn.microsoft.com

 

[Victor M]

on Windows 11 because, from version 24H2,, SRP is turned off by default (can be activated).

What needs to be done to activate it?

 

[Andy Ful]

What needs to be done to activate it?

You can use the registry tweak you posted here and apply SRP via Windows Registry, Hard_Configurator, or WHHLight.
Avoid GPO on Windows 11, because it refreshes AppLocker (even if no rules), which automatically turns off SRP.

 

[Victor M]

@Andy Ful by saying GPO, do you mean gpedit ? Even Local Security Policy?

If we use Local Security Policy, can't we just remember to set that registry RuleCount"=dword:00000000 whenever we finish modifying SRP rules?

 

[Andy Ful]

@Andy Ful by saying GPO, do you mean gpedit ? Even Local Security Policy?

GPO = Group Policy Object.
GPEedit and SecPol depend on GPO.

If we use Local Security Policy, can't we just remember to set that registry RuleCount"=dword:00000000 whenever we finish modifying SRP rules?

Yes. But, applying any Windows Policy (also non-SRP) via GPO turns off SRP. So using SRP and GPO is risky and requires caution. For most users, maintaining SRP via GPO is a challenge. Most SRP configurations available publicly have some serious flaws. The proper configurations require many rules and extended knowledge about Windows and SRP.

 

[Victor M]

If they play with security restrictions of any sort and don't have drive image backups then they should really think twice.