Threat behavior
Trojan:HTML/FileFix.DSK! operates as a social engineering trojan that exploits legitimate Windows components for its own purposes. Its primary infection vector involves compromised websites or phishing emails delivering HTML lures like filefix.html or index.html. When users open these files, embedded JavaScript silently copies malicious PowerShell commands to the clipboard using functions. These commands are disguised as file benign paths.
Trojan:HTML/FileFix.DSK! is an example of a social engineering trojan which exploits some Windows components. Its main way to spread is either compromised web sites or phishing emails inviting victims to download and open HTML files such as filefix.html or index.html. These files contain embedded JavaScripts that runs malicious PowerShell commands and copies them to the clipboard using functions. These commands are camouflaged to look like innocent-looking ones from expected file paths.
When users paste the clipboard content into File Explorer’s address bar, it creates a clever workaround to run binaries without security warnings. Allowing the download of secondary payloads downloaded to C:\ProgramData\Microsoft\Windows Security Health\Logs to appear legitimate. To maintain persistence, it registers itself via registry run keys pointing to php.exe in AppData\Roaming. The trojan leverages trusted browser processes like msedge.exe and chrome.exe to launch HTML files from the desktop, circumventing security prompts. Command and control (C2) communication occurs over HTTPS to 52[.]111.229.19[:]443, an AWS-hosted IP address linked to threat actors.
Trojan:HTML/FileFix.DSK!ams drops files in:
- C:\ProgramData\Microsoft\Windows Security Health\Logs
- C:\Windows\SystemTemp\chrome_BITS_4564_601462122
- C:\Windows\SystemTemp\scoped_dir4564_597634562
- /msdownload/update/v3/static/trustedr/en/authrootstl.cab
It also modifies the below process:
- "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "C:\Users\<USER>\Desktop\document.html"
- "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "C:\Users\<USER>\Desktop\filefix.html"
- "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\index.html"
Registry entries modified:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Communicates to following hosts:
- 52[.]111.229[.]19 : 443 (threat actor rents it from AWS to serve as possible C2 server)
Prevention
To minimize exposure to Trojan:HTML/FileFix.DSK!ams, and malware in general, Microsoft recommends best practices such as:
- Update mission-critical software to patch known exploit vectors.
- Enforce policy of least privilege for the whole local network, and restrict unauthorized apps using allow/block listing.
- Block traffic to known malicious IP ranges and identify outbound connections at firewalls.
- Educate users to build mindset of not opening malicious phishing emails and its attachments.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
