Summary
In November of 2021, we described several techniques used by attackers to deliver malware through infected Microsoft Office files. In addition to exploits like CVE-2021-40444, these infected documents frequently abuse VBA (Visual Basic for Applications) to execute their techniques, regardless of the final payload. Attackers also often use extra layers of protection to evade signature-based detections, like constructing PowerShell scripts and WMI namespaces at runtime, as done by Emotet. In addition to code obfuscation, attackers use other techniques to evade detection like non-standard file types in Microsoft Word.
Netskope Threat Labs is currently tracking a malicious campaign that uses Web Page Archive files (“.mht” or “.mhtml”) to deliver infected documents, which eventually deploys a backdoor that uses Glitch for C2 communication. This is effective because Microsoft Word is able to open the document in “.mht” format, even using the “.doc” extension.
The usage of Web Archive files to deliver infected documents was previously seen and linked to APT32 (a.k.a. Ocean Lotus and Cobalt Kitty), a cyber espionage group known for targeting governments and journalists. Furthermore, a similar backdoor used in this campaign was spotted in August 2021 and also linked to this same threat group.
In this blog post, we will show details about how this threat campaign works.
Stage 01 – RAR Files
The attack chain starts with a RAR file that contains the infected Web Archive, probably delivered through phishing campaigns. We have spotted some of the files in VirusTotal with a low detection rate, between 7 and 10 engines.
![Example of RAR files related to this malicious campaign.](https://www.netskope.com/wp-content/uploads/2022/01/Malicious-Web-Archive-Files-1.png)
The MHT file compressed in the RAR is quite large, between 35 and 63 MB, containing the infected Word document as well as other files used throughout the attack.
![Screenshot. Web Archive file that is opened by Microsoft Word](https://www.netskope.com/wp-content/uploads/2022/01/Malicious-Web-Archive-Files-2.png)
Furthermore, we also found the “Zone.Identifier” file within the RAR, which is a common ADS (Alternate Data Stream) used to store metadata about the original file.
![Screenshot of Zone.Identifier ADS within the RAR file.](https://www.netskope.com/wp-content/uploads/2022/01/Malicious-Web-Archive-Files-3.png)
Modern browsers may include additional information about the downloaded object in this ADS, such as the source URL and the ZoneID, which defines the security zone based on where the file was downloaded from.
Microsoft Word won’t open the Web Archive file if the ZoneID is 3 or 4, as this indicates that the fil