Researchers Warn of Active Malware Campaign Using HTML Smuggling

guest · Aug 19, 2020

Researchers Warn of Active Malware Campaign Using HTML Smuggling
August 18, 2020
https://threatpost.com/active-malware-campaign-html-smuggling/158439/

An active campaign has been spotted that utilizes HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies and firewalls.
Krishnan Subramanian, security researcher with Menlo Security, told Threatpost that the campaign uncovered on Tuesday, dubbed “Duri,” has been ongoing since July.

It works like this: The attackers send victims a malicious link. Once they click on that link, a JavaScript blob technique is being used to smuggle malicious files via the browser to the user’s endpoint (i.e., HTML smuggling). Blobs, which mean “Binary Large Objects” and are responsible for holding data, are implemented by web browsers.
Click to expand...

Because HTML smuggling is not necessarily a novel technique — it’s been used by attackers for awhile, said Subramanian — this campaign shows that bad actors continue to rely on older attack methods that are working. Learn more about this latest attack and how enterprises can protect themselves from HTML-smuggling attacks, during this week’s Threatpost podcast.
Click to expand...

guest · Aug 19, 2020

Duri campaign smuggles malware via HTML and JavaScript
August 18, 2020
https://www.bleepingcomputer.com/ne...ign-smuggles-malware-via-html-and-javascript/

A new attack campaign uses a combination of HTML smuggling techniques and data blobs to evade detection and download malware.
Dubbed Duri, the campaign exploits the JavaScript blob method which generates the malicious file in the web browser, thus avoiding detection by sandboxes and proxies.
What is HTML smuggling?
HTML smuggling uses a combination of JavaScript, HTML5, and its technologies such as "data:" URLs to generate the payload on the fly and serve file downloads from within the browser, rather than a direct URL pointing to a server.

"With Duri, the entire payload is constructed on the client-side (browser), so no objects are transferred over the wire for the sandbox to inspect," states Menlo's report.
For those interested, Stan Hegt of Outflank, explains the technique perfectly.
Click to expand...

Dissecting the Duri's payload
As shown, a ZIP file is generated from nothing but the JavaScript code. At the end of its execution, the script prompts the download of this archive in the web browser.

Digging deeper, the researchers observed the JScript carried out the following actions: [...]
The researchers expect these evasive techniques to be incorporated in future iterations of attacks as well.

"Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it," says Menlo Security.
Click to expand...

guest · Jul 26, 2021

Microsoft warns of weeks-long malspam campaign abusing HTML smuggling
July 26, 2021
https://therecord.media/microsoft-warns-of-weeks-long-malspam-campaign-abusing-html-smuggling/

The Microsoft security team said it detected a weeks-long email spam campaign abusing a technique known as “HTML smuggling” to bypass email security systems and deliver malware to user devices.
HTML smugging, as explained by SecureTeam and Outflank, is a technique that allows threat actors to assemble malicious files on users’ device by clever use of HTML5 and JavaScript code.

The technique is not new and has been known at a theoretical level since the mid-2010s and abused by malware operators since at least 2019 and also spotted throughout 2020.
Click to expand...

In a series of tweets on Friday, Microsoft said it’s been tracking an email spam campaign that has been going on for weeks that has been abusing HTML smuggling to drop a malicious ZIP file on user devices.

The JavaScript file connects to a malicious website to download another ZIP file with a .PNG file name extension, which contains two DLLs and one .EXE file. One of the DLL files is the payload: the banking Trojan Casbaneiro, which is loaded via DLL sideloading.
— Microsoft Security Intelligence (@MsftSecIntel) July 23, 2021
While Microsoft said Microsoft Defender for Office 365 could detect files dropped via HTML smuggling, the OS maker raised a sign of alarm on Friday for users who are not its customers or do not use email security products to scan incoming emails and who may not be aware of the technique.
Click to expand...

EASTER · Jul 26, 2021

In a series of tweets on Friday, Microsoft said it’s been tracking an email spam campaign that has been going on for weeks that has been abusing HTML smuggling to drop a malicious ZIP file on user devices.
The JavaScript file connects to a malicious website to download another ZIP file with a .PNG file name extension, which contains two DLLs and one .EXE file. One of the DLL files is the payload: the banking Trojan Casbaneiro, which is loaded via DLL sideloading.
— Microsoft Security Intelligence (@MsftSecIntel) July 23, 2021
While Microsoft said Microsoft Defender for Office 365 could detect files dropped via HTML smuggling, the OS maker raised a sign of alarm on Friday for users who are not its customers or do not use email security products to scan incoming emails and who may not be aware of the technique.
Click to expand...

Doesn't Microsoft ever do any real work or effort testing for such on their own dang systems? No. They shove them out the door and cope with the fallouts later as usual.

guest · Jul 31, 2021

Reports Point to Uptick in HTML Smuggling Attacks
Menlo Security and Microsoft report recent campaigns implementing the technique, which helps attackers stealthily deliver malware.
July 30, 2021
https://www.darkreading.com/attacks-breaches/reports-point-to-uptick-in-html-smuggling-attacks

An attack could start with a phishing email or Web browsing, says Vinay Pidathala, director of security research at Menlo Security, where the team has been tracking an HTML smuggling campaign called ISOMorph.
The ISOMorph campaign isn't the only one in recent years to make use of HTML smuggling. Last summer, Menlo Security's team identified another campaign, called Duri, which similarly leveraged the technique to deliver malware.
Click to expand...

Microsoft's security team has also recently reported attackers are increasingly using HTML smuggling, in phishing and other email campaigns, to deliver threats. In a campaign the team has been tracking for weeks, attackers send emails with malicious links that, when licked, drop components embedded in an HTML page via HTML smuggling.
A Growing Threat
In the blog post on their findings, Menlo Security researchers say the re-emergence of HTML smuggling could be linked to the global increase in remote work. Because it helps attackers bypass sandboxes, legacy proxies, and firewalls, the method could appeal to attackers seeking to target people who spend many hours working remotely using browser-based applications.

"The most crucial aspect is the evasion aspect," says Pidathala. "A typical enterprise has X number of network security appliances, and half the battle for the attacker is done when they're able to get their payload onto the endpoint … using HTML smuggling, they're able to do half of what they need to successfully compromise the endpoint."
Click to expand...

The use of legitimate applications in cybercrime makes it even easier for these attacks to fly under the radar. Pidathala adds: "It's getting extremely difficult for security practitioners to identify what's good and what's bad."
Click to expand...

Menlo Security: ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign

Menlo Security has been closely monitoring an attack we are naming ISOMorph. ISOMorph leverages HTML Smuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy proxies. Isolation prevents this attack from infecting the endpoint. Here’s what we know:
Click to expand...

guest · Nov 12, 2021

Microsoft warns of surge in HTML smuggling phishing attacks
November 12, 2021
https://www.bleepingcomputer.com/ne...-of-surge-in-html-smuggling-phishing-attacks/

Microsoft has seen a surge in malware campaigns using HTML smuggling to distribute banking malware and remote access trojans (RAT).

While HTML smuggling is not a new technique, Microsoft is seeing it increasingly used by threat actors to evade detection, including the Nobelium hacking group behind the SolarWinds attacks.
HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in encoded strings in an HTML attachment or webpage. These strings are then decoded by a browser when a user opens the attachment or clicks a link.
Click to expand...

Deployment cases
Microsoft researchers have seen this technique used in Mekotio campaigns that deliver banking trojans and also in highly-targeted NOBELIUM attacks.

HTML smuggling campaigns are also used to drop the AsyncRAT or NJRAT remote access trojans, or the TrickBot trojan used to breach networks and deploy ransomware.
The attacks usually start with a phishing email containing an HTML link in the body of the message or a malicious HTML file as an attachment.
Click to expand...

A 2020 report from Menlo Security also mentions the Duri malware group as one of the actors who actively uses HTML smuggling for payload distribution, but the technique was first seen in the wild since at least 2018.

Microsoft first warned about a sudden uptick in this activity in July 2021, urging admins to raise their defenses against it.
Click to expand...

Microsoft: HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.
Click to expand...

guest · Dec 14, 2022

Attackers use SVG files to smuggle QBot malware onto Windows systems
By Bill Toulas @billtoulas - December 14, 2022

QBot malware phishing campaigns have adopted a new distribution method using SVG files to perform HTML smuggling that locally creates a malicious installer for Windows.
Click to expand...

This attack is made through embedded SVG files containing JavaScript that reassemble a Base64 encoded QBot malware installer that is automatically downloaded through the target's browser.

QBot is a Windows malware arriving via a phishing email that loads other payloads, including Cobalt Strike, Brute Ratel, and ransomware.
SVG-based smuggling
HTML smuggling is a technique used to "smuggle" encoded JavaScript payloads inside an HTML attachment or a website.
Click to expand...

This technique enables the threat actors to bypass security tools and firewalls that monitor for malicious files at the perimeter.

Researchers at Cisco Talos observed a new QBot phishing campaign that starts with a stolen reply-chain email prompting the user to open an attached HTML file.
This attachment contains an HTML smuggling technique that uses a base64-encoded SVG (scalable vector graphics) image embedded in the HTML to hide the malicious code.

"In this case, the JavaScript smuggled inside of the SVG image contains the entire malicious zip archive, and the malware is then assembled by the JavaScript directly on the end user's device," explains Cisco.
Click to expand...

Cisco Talos: HTML smugglers turn to SVG images

By Adam Katz, Jaeson Schultz - December 13, 2022

HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage.

Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device.

Talos has witnessed Qakbot attackers using a relatively new technique that leverages Scalable Vector Graphics images embedded in HTML email attachments.

Click to expand...

Rasheed187 · Dec 17, 2022

I guess I need to do some reading because I still can't fully picture how these attacks work. But from what I understood, they are not true ''drive by attacks'' since the user will still have to run the malware manually.

guest · Jan 19, 2023

New 'Blank Image' attack hides phishing scripts in SVG files
By Bill Toulas @billtoulas - January 19, 2023

An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
Security researchers at email security provider Avanan named it "Blank Image." They explain that the attack allows phishing actors to evade detection of redirect URLs.
Phishing campaign
The phishing email sent to prospective victims purports to be a document from DocuSign, a widely abused brand as many recipients are familiar with it from their office jobs.
If a victim clicks on the “View Completed Document” button, they are taken to a genuine DocuSign webpage. However, if they attempt to open the HTML attachment, the ‘Blank Image’ attack is activated.
Click to expand...

SVG smuggling code
The HTML file contains an SVG image encoded using the Base64 encoding format with an embedded JavaScript code that redirects the victim automatically to the malicious URL.
The SVG image does not contain any graphics or shapes, so it renders nothing on the screen. Its role is that of merely a placeholder for the malicious script.

It’s worth noting that the use of SVG files inside HTML containing base64-obfuscated code isn’t new. The same technique was observed in malspam delivering Qbot malware in December 2022.
Click to expand...

Unlike raster images, like JPG and PNG, SVGs are vector images based on XML and can contain HTML script tags. When an HTML document displays an SVG image through an <embed> or <iframe> tag, the image is displayed and the JavaScript inside it executes.

Users should treat emails with HTML code in them and .HTM attachments with caution. Avanan also suggests that administrators should consider blocking them.
Click to expand...

guest · Feb 9, 2023

HTML smuggling -- the latest way to to deliver malware
By Ian Barker @IanDBarker - February 9, 2023

Since Microsoft began the default blocking of macros in documents sent over the internet there's been an increase in the use of HTML files to deliver malware.
Click to expand...

Research by Trustwave Spiderlabs reveals a rise in so called 'HTML smuggling' using HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code. The embedded payload then gets decoded into a file object when opened via a web browser.

This allows threat actors to take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload. The latest campaigns have been impersonating well-known brands like Adobe Acrobat, Google Drive and Dropbox to increase the chances of users opening the archives.
Click to expand...

Security researchers Bernard Bautista and Diana Lopera write on the Spiderlabs blog:

We expect to see more sophisticated malware delivered through HTML smuggling with more compelling lures impersonating well-known products and social engineering tricks, complex obfuscation on the HTML level evading signature-based detection, and diverse attack sequences that may require more user interaction but may still be effective to gain initial access.
Click to expand...

SpiderLabs: HTML Smuggling: The Hidden Threat in Your Inbox

By Bernard Bautista, Diana Lopera - February 9, 2023
Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.

HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code. The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser. Threat actors take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload.
Click to expand...

Log in or Sign up

Researchers Warn of Active Malware Campaign Using HTML Smuggling

guest Guest

guest Guest

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

Log in or Sign up

Researchers Warn of Active Malware Campaign Using HTML Smuggling

guest Guest

guest Guest

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

Useful Searches