Posted on November 14, 2021 at 2:37 PM
A recent report reveals that threat actors are increasingly using HTML smuggling for malware and phishing campaigns. Microsoft 365 Defender Threat Intelligence Team reported that these actors are now banking on the techniques to gain initial access to systems and plant their malware.
The Increasing Use Of HTML Smuggling
The range of threats includes ransomware payloads, remote administrative Trojans (RATs), and banking malware.
According to the report published by the security ream, the threat actors are actively distributing the Mekotip banking Trojans such as NiRAT and AsyncRAT, as well as the very popular TrickBot malware.
ISOMorph, also known as the multi-staged attacks, was publicly documented by Menlo Security in July 2021.
The researchers noted that after the targeted users launch the HTML on their web browsers, it decodes the malicious scripts and transfers the payload on the host device.
While doing so, it simultaneously evades perimeter security solutions. Afterward, the HTML droppers are then utilized to gather the main malware and execute it on the compromised endpoints.
State-Sponsored Hackers Also Use The Same Technique
The Microsoft researchers also noted that rather than having a malicious executable pass on the network, the threat actors develop the malware locally behind the firewall.
The ability of the threat actors to use HTTP smuggle to bypass email gateways and web proxies has made it more lucrative for them to explore. It’s also very enticing for cybercriminal groups and state-sponsored actors to deliver malware in real-world attacks, according to the researchers.
The notorious Nobelium cybercriminals responsible for the well-documented SolarWinds supply chain attack have also been discovered utilizing this type of tactic. They were seen delivering a Cobalt Strike Beacon in one of their sophisticated email-linked attacks on non-governmental organizations, consultants, think tanks, and government agencies.
The hacking group used the tactics to target these organizations located across 24 countries, including the US and some European countries.
Also, apart from state-sponsored threat actors, other threat actors are increasingly using HTML smuggling in their various hacking campaigns. In September, DEV-0193 ran an email campaign, which was uncovered and abused to deliver TrickBot.
Microsoft Urges Organizations To Improve On Security
The threat actors used malicious HTML attachments that generates a password-protected JavaScri[t file on the victim’s computer when opened on a web browser.
Microsoft noted that there has been an increased use of HTML smuggling by threat actors to infiltrate and steal vital details from victims’ systems. The tech giant added that these campaigns are another indication that threat actors continuously refine specific components of their attacks. They do this by utilizing highly evasive hacking methods and making it very difficult for security software to detect.
Microsoft stated that such adoption of procedures, tactics, and techniques is spreading among malicious threat actors and cybercriminals. It gives credence to the belief that threat actors are constantly looking for more improved techniques to launch attacks on systems and stay under the radar without being detected.
Because of these, Microsoft has advised organizations to strengthen their security protocols against this new wave of threat using HTML smuggling.