Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
The MMPC came across an interesting piece of social engineering today that embeds a malicious script, which has been observed circulating on 4chan message boards. On further investigation, it became apparent that this is the next stage in the evolution of a threat known as 4chan.js that has been around since 2008. This scenario relies on a user's trust of image file formats and an unfamiliarity of the .HTA format (by the way, HTA stands for HTML Application). The user is sent a .PNG file that looks similar to the following screenshots:
The .PNG file stores the data in a compressed format that is quite innocuous. Did you notice the fuzz at the bottom of the images shown above? This is actually compressed data that is stored in the image. The following is a screenshot of the .PNG file as seen in binary:
Note: Analysed file details are as follows:- .BMP SHA1 84c2689196903adb8bb3b904797754f6cbfe3b04- .PNG SHA1 d0d8b26e9063a04f6d02efe429e31df7f0e10f65- Dropped file SHA1 3b1b80b7a053d388a82a92eb590026e42f202280