Hackers Weaponize Compiled HTML Help to Deliver Malicious Payload

Threat actors have exploited Microsoft Compiled HTML Help (CHM) files to distribute malware, with a notable sample named deklaracja.chm uploaded to VirusTotal from Poland.

This CHM file, a binary container for compressed HTML and associated objects, serves as a delivery vehicle for a multi-stage infection chain.

Upon execution via the default hh.exe handler, the file displays a decoy image deklaracja.png, mimicking a bank transfer receipt from Polish bank PKO to lull victims while initiating malicious processes in the background.

Technical Breakdown

Decompression reveals core components: standard CHM system files prefixed with ‘#’, an obfuscated index.htm HTML file embedding JavaScript scripted with obfuscator.io patterns like _0x variables and array-indexed string retrieval, a cabinet file disguised as desktop.mp3 containing the unt32.dll payload, and the aforementioned decoy PNG.

The obfuscated JavaScript in index.htm decodes a large hexadecimal string into executable HTML, which orchestrates the attack by creating an iframe for the decoy display, leveraging the deprecated tag primarily compatible with Internet Explorer to force-download desktop.mp3 as a temporary file, and instantiating an ActiveX object via CLSID adb880a6-d8ff-11cf-9377-00aa003b7a11 (linked to hhctrl.ocx).

According to the Report, this ActiveX control simulates a button click to execute a command chain: a minimized cmd.exe navigates to %temp%, employs the LOLbin forfiles.exe with /M to enumerate .tmp files, verifies file size at 180738 bytes (matching desktop.mp3), extracts the embedded DLL using expand, and loads it via rundll32.exe invoking ordinal #1.

The unt32.dll, a C++ downloader with XOR-encrypted strings using a 128-byte rotating key for chunked decryption (e.g., 5-byte segments for User-Agent), utilizes WinHTTP APIs to fetch a payload from hxxps://rustyquill[.]top/shw/the-magnus-protoco1.jpg a domain and filename referencing the Rusty Quill podcast.

The downloader validates the response size exceeds 289109 bytes, strips the initial segment (likely a benign JPEG header), decrypts the appended data with the same XOR key, saves the resulting DLL as C:Users%user%AppDataLocalTaskSyncnet32.dll, executes it via rundll32.exe on ordinal #1, and persists via a COM-based Scheduled Task.

Broader Implications

This tactic aligns with prior campaigns, including a CHM file in dowód_wpłaty.zip shared on April 7, 2025, also tied to rustyquill[.]top, suggesting a persistent threat actor.

Attribution points to FrostyNeighbor or UNC1151, a Belarus-linked group with historical interests in targeting Ukraine, Lithuania, Latvia, Poland, and Germany consistent with the Polish upload origin.

The use of themed lures like banking documents and podcast references indicates social engineering tailored to regional victims, potentially evading detection through benign image masquerades and indirect command execution via LOLbins.

Efforts to locate appended-payload versions of the-magnus-protoco1.jpg via YARA rules matching JPEG headers and byte patterns yielded no matches, hinting at transient or geofenced delivery.

This underscores the evolving abuse of legacy formats like CHM for malware deployment, blending obfuscation, ActiveX exploitation, and steganographic techniques in images to bypass endpoint defenses.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.