Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks

Early access is with banking malware, Trojan horse, Remote Administration (RAT), and ransomware payloads. And the threat artist is a tool to deploy a range of threats. Phishing campaigns are increasingly dependent on HTML smuggling techniques. The Microsoft 365 Defender Threat Intelligence team has revealed in a new report released on Thursday. That they infiltrated backdoor like Mecotio Banking Trojan, AsyncRAT, and NjRAT. And the infamous TrickBot malware-distributed intruders have been identifi. The multistage attacks – dubbed ISOMorph – were also publicly document by Menlo Security in July 2021. Malware And Phishing Attacks

HTML smuggling is one such method. Which allows the attacker to “smuggle” the first-step dropper. Often malicious scripts embedded in HTML attachments or specially created. Encoded on web pages, by dragging on HTML5 victim machine. And took advantage of the main functionality of JavaScript. Vulnerability in modern web browsers. Or take advantage of design errors.

In doing so, they use JavaScript to target the threatening actor. And allows payloads to be created programmatically on HTML pages. Instead of requesting HTTP to fetch resources from the web server, all at once avoid perimeter security measures. The HTML droppers are then use to retrieve the main malware to run on the compromise endpoints.

At the point when an objective client opens the HTML code in their internet browser, the program disentangles the malevolent content, which thusly gathers the payload on the host gadget, “the scientists said. “So rather than passing a noxious executable straightforwardly through an organization, the aggressor assembles the malware locally behind a firewall. HTTP Smuggling’s ability to bypass web proxies and email gateways have made it a lucrative method among state-sponsored actors and cybercriminal groups to distribute malware in actual attacks, Microsoft noted.

Nobelium, the threat group behind the SolarWinds supply chain hack,

Nobelium, the threat group behind the SolarWinds supply chain hack, was found exploiting this very tactic to launch a cobalt strike beacon as part of a sophisticat attack by the -mail targeting government agencies, think tanks, consultants, and non-governmental organizations locate across 24 countries, including the United States, in early May.

Beyond spy operations, HTML contraband has also been adopted for banking malware attacks involving the Mekotio Trojan, with opponents sending spam emails containing a malicious link which, when clicked, triggers the download of a ZIP file, which in turn contains a JavaScript File Downloader to retrieve binaries capable of stealing credentials and logging keystrokes.

But as a sign that other players are taking note and incorporating contraband HTML into their arsenal, a September email campaign undertaken by DEV-0193 has been uncovere, abusing the same method to deliver TrickBot. The attacks involve a malicious HTML attachment which, when opened on a web browser, creates a password-protected JavaScript file on the recipient’s system, prompting the victim to provide the HTML attachment password. ‘origin.

It starts executing JavaScript code. Which is then use to download TrickBot malware. So Base64 launches the encoded PowerShell command to connect to the server controlled by the attacker. This paves the way for follow-up ransomware attacks.

HTML smuggling attacks

HTML smuggling attacks allow a malicious actor to “smuggle” a script encoded in a specially crafted HTML attachment or web page.

If the target opens the HTML code in their web browser, the malicious script is decod and the payload is deploy to their device. HTML contraband attacks bypass standard perimeter security checks, such as web proxies and email gateways, which often only search for suspicious attachments (EXE, ZIP, or DOCX files, for example) or traffic-based traffic. signatures and models.

A new attack technique called “HTML smuggling,” which spreads malware through email, is increasingly targeting banking organizations, Microsoft said.

The attack vector, which surfaced earlier this year, is described by the tech giant as “a very evasive malware delivery technique” that exploits the legitimate functionality of HTML5 and JavaScript to disguise its true actions.

Microsoft has said. That in recent months there have been banking malware, remote access Trojans (RATs). And ‘banks have been target by email campaigns deploying other payloads.