A brand new FileFix assault permits executing malicious scripts whereas bypassing the Mark of the Net (MoTW) safety in Home windows by exploiting how browsers deal with saved HTML webpages.
The method, was devised by safety researcher mr.d0x Final week, the researcher confirmed how the first FileFix methodology labored as a substitute for ‘ClickFix’ assaults by tricking customers into pasting a disguised PowerShell command into the File Explorer deal with bar.
The assault entails a phishing web page to trick the sufferer into copying a malicious PowerShell command. As soon as they previous it into File Explorer, Home windows executes the PowerShell, making it a really delicate assault.
With the new FileFix assault, an attacker would use social engineering to trick the consumer into saving an HTML web page (utilizing Ctrl+S) and renaming it to .HTA, which auto-executes embedded JScript by way of mshta.exe.
HTML Functions (.HTA) are thought of legacy expertise. This Home windows file kind can be utilized to execute HTML and scripting content material utilizing the authentic mshta.exe within the context of the present consumer.
The researcher discovered that when HTML information are saved as “Webpage, Full” (with MIME kind textual content/html), they don’t obtain the MoTW tag, permitting script execution with out warnings for the consumer.
When the sufferer opens the .HTA file, the embedded malicious script runs instantly with none warning.
The very best-friction a part of the assault is the social engineering step, the place victims have to be tricked into saving a webpage and renaming it.
A technique round that is by designing a simpler bait, equivalent to malicious web site prompting customers to avoid wasting multi-factor authentication (MFA) codes to keep up future entry to a service.
The web page would instruct the consumer to press Ctrl+S (Save As), select “Webpage, Full,” and save the file as ‘MfaBackupCodes2025.hta.’
Supply: mr.d0x
Though this require extra interplay, if the malicious webpage seems real and the consumer would not have a deep understanding of file extensions and safety warnings, they may nonetheless fall for it.
An efficient protection technique towards this variant of the FileFix assault is to disable or take away the ‘mshta.exe’ binary out of your atmosphere (present in C:WindowsSystem32 and C:WindowsSysWOW64).
Moreover, take into account enabling file extension visibility on Home windows and blocking HTML attachments on electronic mail.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent risk actors.
