A newly discovered FileFix attack variant exploits how browsers handle saved HTML pages to execute malicious JavaScript while evading Windows’ Mark of the Web (MoTW) security alerts. This technique, detailed by security researcher mr.d0x, bypasses critical security warnings by manipulating file-saving behaviors.
Attack Mechanism
The attack involves a multi-step social engineering process:
1. Phishing Lure: Victims are tricked into visiting a malicious webpage (e.g., disguised as an MFA code backup page).
2. File Manipulation: Users are instructed to save the page using Ctrl+S, selecting “Webpage, Complete” format. This format avoids the MoTW security tag.
3. Extension Swap: The saved .html file is renamed to .HTA (HTML Application), a legacy Windows format that auto-executes embedded JScript via mshta.exe.
4. Silent Execution: Opening the .HTA file runs the malicious script immediately—without MoTW warnings—because the file lacks the security marker.
Key Exploits
• MoTW Bypass: Saving as “Webpage, Complete” omits the security tag, allowing untrusted scripts to run.
• Legacy Abuse: .HTA files leverage the outdated mshta.exe to execute scripts with user privileges.
• Social Engineering: Attackers use high-pressure scenarios (e.g., “save your MFA codes”) to compel user interaction.
Defense Recommendations
• Disable mshta.exe: Remove or restrict this binary (located in System32 and SysWOW64) to block .HTA execution.
• Enforce File Extension Visibility: Ensure Windows displays full file extensions to detect suspicious renames (e.g., .html to .hta).
• Block HTML Attachments: Filter email attachments with .html or .hta extensions at the gateway.
• User Training: Educate users to avoid saving webpages from untrusted sources and to scrutinize file-renaming requests.
