Unit 42 finds polyglot files delivering IcedID malware

Palo Alto Networks' Unit 42 says attackers are using decoy Microsoft Compiled HTML Help files containing multiple file formats to infect systems with information-stealing malware.

Threat actors are leveraging polyglot file attacks to evade detection and deliver information-stealing malware, according to new research.

Palo Alto Networks' Unit 42 threat intelligence team discovered last month an attack technique that starts with a phishing email and combines polyglot file attacks with Microsoft Compiled HTML Help (CHM) file abuse. The sample analysis was published Tuesday in a blog post where Mark Lim, senior malware reverse engineer at Palo Alto Networks, detailed how the infamous IcedID, a malware abused by multiple ransomware gangs, was delivered as the final payload.

Though IcedID was involved in the attack chain that Unit 42 observed, the tactic highlighted a bigger threat as attackers can hide any malware by writing code in multiple languages to evade detection. The technique allows threat actors to bypass antimalware systems that rely on file format identification.

"It is important for defenders not to trust binaries based on their file types since polyglot files such as the one discussed here have more than one correct file type," Lim wrote in the blog post.

While analyzing the August attack, researchers observed threat actors executing the same CHM file twice in the infection process. They also uncovered a command-and-control URL as one indicator of compromise for IcedID.

"The first execution exhibits benign activities, while the second execution stealthily carries out malicious behaviors," the blog post read.

The first execution of the malicious CHM file used only the default Microsoft HTML Help executable, while the second used Microsoft HTML Application Host to execute the malicious JavaScript code.

Screenshot of the decoy help window that deploys IcedID malware
Unit 42 detailed an attack chain that allowed threat actors to evade detection and deploy IcedID.

Lim told TechTarget Editorial that the first CHM file acts as a decoy to the users, while the second one carries out malicious behaviors in the background. In this case, the decoy was a Microsoft Customer Service and Support window.

"Malware detection systems that rely on signatures that were based on file format identification might be evaded by the malicious CHM file," Lim said in an email. "The malicious JavaScript code in the CHM file, given its short length, could easily be blended together with the rest of the legit HTML code in the CHM file."

Lim confirmed that polyglot files have been used for some time, but warned in the blog post that threat actors continue to evolve their techniques to evade detection. He added that modern endpoint detection and response products, including Palo Alto Networks' Cortex extended detection and response platform, can detect and stop malicious polyglots. "Cortex XDR monitors the processes that are created and the user behaviors, not requiring the need for IoCs to be ingested into the tool."

Unit 42 did not attribute the malicious CHM file to a specific threat group or cybercrime gang. Lim did note that multiple attack groups have used CHM files to conceal payloads written using PowerShell or JavaScript. Those groups include APT41, a Chinese state-sponsored outfit, and Evasive Serpens, an Iranian hacking group also known as APT34 or OilRig.

Dig Deeper on Threats and vulnerabilities