The MMPC came across an interesting piece of social engineering today that embeds a malicious script, which has been observed circulating on 4chan message boards. On further investigation, it became apparent that this is the next stage in the evolution of a threat known as 4chan.js that has been around since 2008. This scenario relies on a user's trust of image file formats and an unfamiliarity of the .HTA format (by the way, HTA stands for HTML Application).
The user is sent a .PNG file that looks similar to the following screenshots:
The .PNG file stores the data in a compressed format that is quite innocuous. Did you notice the fuzz at the bottom of the images shown above? This is actually compressed data that is stored in the image.
The following is a screenshot of the .PNG file as seen in binary:
What is interesting about this file is the method of social engineering that the malware authors have employed. They are expecting the user to follow the instructions purely out of interest, to see what will happen. Most users are likely to trust an image format and might not realize that the same image file can contain an embedded malicious script.
Here at the MMPC we suggest that you do not follow the instructions of random pictures that you see, especially if the instructions involve altering the file in any way, and then running it. In fact, we would suggest just not running random .HTA files at all.
- Michael Johnson
Note: Analysed file details are as follows:
- .BMP SHA1 84c2689196903adb8bb3b904797754f6cbfe3b04
- .PNG SHA1 d0d8b26e9063a04f6d02efe429e31df7f0e10f65
- Dropped file SHA1 3b1b80b7a053d388a82a92eb590026e42f202280