Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks

Threat actors are increasingly relying on the HTML smuggling technique in phishing campaigns as a means of gaining initial access and deploying a range of threats, including banking malware, Trojan horses, remote administration (RAT), and ransomware payloads. The Microsoft 365 Defender Threat Intelligence team, in a new report released Thursday, revealed that it has identified infiltrations distributing the Mekotio banking Trojan, backdoors such as AsyncRAT and NjRAT, and the infamous TrickBot malware. The multistage attacks – dubbed ISOMorph – were also publicly documented by Menlo Security in July 2021. Malware And Phishing Attacks

HTML smuggling is an approach that allows an attacker to “smuggle” first-step droppers, often encoded malicious scripts embedded in HTML attachments or specially crafted web pages, onto a victim machine by pulling took advantage of the core functionality of HTML5 and JavaScript rather than exploiting a vulnerability or design flaw in modern web browsers.

By doing so, it allows the threat actor to programmatically build the payloads on the HTML page using JavaScript, instead of having to make an HTTP request to fetch a resource from a web server, all simultaneously avoiding perimeter security solutions. The HTML droppers are then used to retrieve the main malware to run on the compromised endpoints.

At the point when an objective client opens the HTML code in their internet browser, the program disentangles the malevolent content, which thusly gathers the payload on the host gadget, “the scientists said. “So rather than passing a noxious executable straightforwardly through an organization, the aggressor assembles the malware locally behind a firewall. HTTP Smuggling’s ability to bypass web proxies and email gateways have made it a lucrative method among state-sponsored actors and cybercriminal groups to distribute malware in actual attacks, Microsoft noted.

Nobelium, the threat group behind the SolarWinds supply chain hack, was found exploiting this very tactic to launch a cobalt strike beacon as part of a sophisticated attack by th -mail targeting government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the United States, in early May.

Beyond spy operations, HTML contraband has also been adopted for banking malware attacks involving the Mekotio Trojan, with opponents sending spam emails containing a malicious link which, when clicked, triggers the download of a ZIP file, which in turn contains a JavaScript File Downloader to retrieve binaries capable of stealing credentials and logging keystrokes.

But as a sign that other players are taking note and incorporating contraband HTML into their arsenal, a September email campaign undertaken by DEV-0193 has been uncovered, abusing the same method to deliver TrickBot. The attacks involve a malicious HTML attachment which, when opened on a web browser, creates a password-protected JavaScript file on the recipient’s system, prompting the victim to provide the HTML attachment password. ‘origin.

This initiates the execution of the JavaScript code, which then launches a Base64 encoded PowerShell command to contact a server controlled by an attacker in order to download the TrickBot malware, thus paving the way for follow-up ransomware attacks.

HTML smuggling attacks allow a malicious actor to “smuggle” a script encoded in a specially crafted HTML attachment or web page.

If the target opens the HTML code in their web browser, the malicious script is decoded and the payload is deployed to their device. HTML contraband attacks bypass standard perimeter security checks, such as web proxies and email gateways, which often only search for suspicious attachments (EXE, ZIP, or DOCX files, for example) or traffic-based traffic. signatures and models.

A new attack technique called “HTML smuggling,” which spreads malware through email, is increasingly targeting banking organizations, Microsoft said.

The attack vector, which surfaced earlier this year, is described by the tech giant as “a very evasive malware delivery technique” that exploits the legitimate functionality of HTML5 and JavaScript to disguise its true actions.

Microsoft said that in recent months it has witnessed the attack targeting banks via email campaigns that deploy banking malware, Remote Access Trojans (RATs), and ‘other payloads.