HTML smuggling is frequently used by hackers in malware and phishing attacks

HTML smuggling techniques are increasingly used by attackers in phishing campaigns as a means to gain initial access and deploy a range of threats, including but not limited to banking malware, remote administration Trojans (RATs), and ransomware payloads. wait.

The Microsoft 365 Defender Threat Intelligence team released a new report on Thursday, in which they said they discovered the Mekotio banking Trojan that is currently spreading.AsyncRAT,nnJCbackdoors, and the infiltration of the notorious TrickBot malware. In July 2021, Menlo Security also publicly documented this allegedISOMorphmulti-stage attack.

HTML smuggling is a method that allows an attacker to "smuggle" a first-stage dropper on a victim's machine by exploiting basic functionality in HTML5 and JavaScript rather than exploiting vulnerabilities or design flaws in modern web browsers, typically An attack method that embeds malicious scripts in carefully crafted HTML attachments or web pages.

In this way, attackers can use JavaScript to programmatically construct payloads on HTML pages without making HTTP requests to obtain resources on the web server, and can also circumvent the blocking of some security products.

"When a victim opens the HTML in their web browser, the browser automatically parses the malicious script, which, in turn, assembles the payload on the host device," researchersexplain. "So instead of letting the malicious executable pass directly over the network, the attacker is building the malware locally behind the firewall."

"When a victim opens the HTML in their web browser, the browser automatically parses the malicious script, thereby running the payload on the victim's device," the researchers said.

Therefore, instead of having a malicious executable file directly attack the target through the network, the attacker can attack the target by building the malware locally behind the firewall.

Microsoft points out that HTTP smuggling's ability to bypass web proxies and email gateways makes it an efficient method for many "nation squads" and cybercriminal groups to spread malware in real-world attacks.

Earlier in May this year, an organization claimed that SolarWinds supply chainhackerThe threat group behind it, Nobelium, was found to be using this unusual attack method to target government agencies, think tanks, consultants, and non-governmental organizations in 24 countries, including the United States.

In addition to espionage, HTML smuggling is often used in banking malware attacks involving the Mekotio Trojan, where attackers send spam emails containing malicious links that, when clicked by the victim, triggers the download of a ZIP file, which in turn contains A JavaScript file downloader that retrieves binaries capable of credential theft and keylogging.

But there are also signs that some other actors are incorporating HTML smuggling into their arsenal. In September, an email campaign sponsored by DEV-0193 was discovered abusing the same method to deliver TrickBot. These attacks involved malicious HTML attachments, and when in When the attachment is opened on a web browser, a password-protected JavaScript file is created on the recipient's system, prompting the victim to provide the password from the original HTML attachment.

Doing so initiates execution in JavaScript code, which subsequently launches a Base64-encoded PowerShell command that communicates with an attacker-controlled server and then downloads the TrickBot malware, ultimately paving the way for a subsequent ransomware attack.

"The surge in attacks using HTML smuggling attack methods in email campaigns is an example of attackers continuing to improve their attack methods to achieve evasive effects," Microsoft noted. “This attack pattern shows how tactics, techniques, and procedures (TTPs) are infiltrated from cybercriminal gangs into APT attacks. Additionally, it strengthens the black market economy where TTPs are considered an effective technology will be commercialized.”