Like creating various malware variants, cybercriminals often find new techniques to deploy malware and evade security scans. As per a report from Microsoft 365 Defender Threat Intelligence Team, adversaries are increasingly relying on HTML smuggling techniques in email phishing and malware campaigns to obtain access and infect a network or system with an array of malware variants. These include banking malware, ransomware, and remote access trojans (RATs).
The report stated that attackers also distributed Mekotio banking Trojan, malware backdoors like AsyncRAT and NjRAT, and the infamous TrickBot malware to gain the initial control of the compromised systems and deploy ransomware payloads.
What is HTML Smuggling?
HTML smuggling is a malicious technique used by hackers to hide malware payloads in an encoded script in a specially crafted HTML attachment or web page. The malicious script decodes and deploys the payload on the targeted device when the victim opens/clicks the HTML attachment/link. The HTML smuggling technique leverages legitimate HTML5 and JavaScript features to hide malicious payloads and evade security detections.
The HTML smuggling method is highly evasive. It could bypass standard perimeter security controls like web proxies and email gateways, which only check for suspicious attachments like EXE, ZIP, or DOCX.
NOBELIUM Group Used HTML Smuggling
Microsoft researchers stated this technique was observed in a spear-phishing campaign by the infamous NOBELIUM – a Russian state-sponsored group allegedly behind the SolarWinds hacks, the SUNBURST backdoor, GoldMax malware, and the TEARDROP malware campaigns. The researchers stated the malicious email campaign leveraged an HTML file attachment, which, when opened by the victim, uses HTML smuggling to download the primary payload on the targeted device.
Eventually, other cybercriminal groups appeared to have followed NOBELIUM’s suit and adopted the technique for their own campaigns. “The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques. HTML smuggling uses legitimate features of HTML5 and JavaScript, which are both supported by all modern browsers, to generate malicious files behind the firewall. Specifically, HTML smuggling leverages the HTML5 “download” attribute for anchor tags, as well as the creation and use of a JavaScript Blob to put together the payload downloaded into an affected device,” Microsoft said.
How to Detect HTML Smuggling?
Microsoft recommended security admins to use behavior rules to identify the common characteristics of HTML smuggling, which include:
- An attached ZIP file contains JavaScript
- An attachment is password-protected
- An HTML file contains a suspicious script code
- An HTML file decodes a Base64 code or obfuscates a JavaScript
For endpoints, security admins can prevent HTML smuggling activities by:
- Blocking JavaScript or VBScript from launching downloaded executable content
- Blocking execution of potentially obfuscated scripts
- Blocking executable files from running unless they meet a prevalence, age, or trusted list criterion
Mitigation
Organizations and users can prevent JavaScript codes from executing automatically by changing file associations for .js and .jse files to reduce the impact of threats that utilize HTML smuggling. Users and employees need to be aware of various malware infections and preventive measures to help mitigate malware-based threats.
