Weaponize .chm files with PowerShell — Nishang
Client-side Exploitation, Phishing attachments, PowerShell
In this tutorial, we will learn how to create malicious CHM files with PowerShell; we will use the Nishang framework. Anyone who does not know Nishang framework is a collection of PowerShell scripts and payloads that can be used during pentesting and red teaming engagements.
I started using the framework a year and a half ago when I started solving Hack The box machines. The framework provides a great range of modules to use for different stages of pentesting with windows machines.
Also, it can execute in memory, which is a huge bonus for evading Windows Defender detection 😈. We can basically download any of the framework modules directly to memory and invoke them without touching the disk.
Today’s focus will be on one of the code generation modules that ties to creating malicious CHM files — {Out-CHM.ps1} for client-side exploitation.
Before we jump into it, let’s go over the key concepts.
📖$_Key_Concepts:
- CHM files
- Attack Requirements
- Exploitation Demo
- Prevention
- Resources
$_Compiled_HTML_Help_File
Chm files are old looking files from the nineties. Microsoft created them around 1997 for software documentation and user manuals. That’s why they are called HTML Help files. These files are consistent of HTML compressed pages that include indexes and content tables with hyperlinks to all pages. The interesting and dangerous part is that these hyperlinks can link to internal or external resources, which can be weaponized to download malicious scripts or executables.
The files are compressed and deployed in a binary format with the extension. CHM, for Compiled HTML. They can be viewed using the HTML Help program (hh.exe) that runs whenever a user clicks on a compiled CHM file.
Though Microsoft stopped supporting the .chm format around 2007, they are still can be opened in modern Windows versions and apparently still a security threat if proper controls are not enforced in the working environment. Attackers can create custom CHM files with malicious embedded payloads that get distributed to users through spearphishing, Malspam, or ransomware campaigns.
A few months ago, I was reading a tweet by JAMESWT about a Masslogger campaign that used .chm files in their spyware/phishing emails. The campaign relied on users opening up the compressed files and executing them.
Once they are executed, the malware infection gets activated and starts collecting and stealing users’ sensitive data and transfer them to the C2 server via FTP.
2- Download the Nishang module for creating custom payloads for CHM files -Out-CHM Module from GitHub. You can either use wget or Invoke-WebRequest commands for that.
📌Note: you might need to disable the Windows Defender Protection to download the script to your VM.
😈$_Exploitation_Demo
Now, we have everything ready; let’s go ahead and create the payload for our malicious .chm file.
Start by opening up a Powershell command prompt with Admin privileges. Then, import the CHM module by running the Import-module command.
📌Note: If you get errors importing the module, check the PowerShell Execution Policy, you might need to set the policy as “Unrestricted” to run PS scripts on the VM.
Next, create the payload using the Payload command and specify the path to the HTML Help application (hh.exe) to compile the file.
The module will generate a doc.chm file ready for action.
As with other client-side attacks, this one too relies on user interaction. Social engineering techniques play an essential role in getting the user to interact with the phishing email and execute its contents inadvertently.
The screenshot below from the Sniper machine on HTB. It stimulates the scenario of sending malicious CHM attachments that could target individuals or organizations and manipulate them to execute these attachments.
📝$_Mitigation
- Block downloading and execution of file types that are known to be used in social engineering campaigns.
- Block the running of the HTML Help program if it is not needed in the working environment.
- Raise awareness to identify social engineering techniques and spearphishing campaigns.
That’s all for today. Thanks for reading …
📌This article was originally published in PenTest magazine — Build Your Own Pentest Lab Edition