Researchers Warn of Active Malware Campaign Using HTML Smuggling

mood · Aug 19, 2020

Researchers Warn of Active Malware Campaign Using HTML Smuggling
August 18, 2020
https://threatpost.com/active-malware-campaign-html-smuggling/158439/

An active campaign has been spotted that utilizes HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies and firewalls.
Krishnan Subramanian, security researcher with Menlo Security, told Threatpost that the campaign uncovered on Tuesday, dubbed “Duri,” has been ongoing since July.

It works like this: The attackers send victims a malicious link. Once they click on that link, a JavaScript blob technique is being used to smuggle malicious files via the browser to the user’s endpoint (i.e., HTML smuggling). Blobs, which mean “Binary Large Objects” and are responsible for holding data, are implemented by web browsers.
Click to expand...

Because HTML smuggling is not necessarily a novel technique — it’s been used by attackers for awhile, said Subramanian — this campaign shows that bad actors continue to rely on older attack methods that are working. Learn more about this latest attack and how enterprises can protect themselves from HTML-smuggling attacks, during this week’s Threatpost podcast.
Click to expand...

mood · Aug 19, 2020

Duri campaign smuggles malware via HTML and JavaScript
August 18, 2020
https://www.bleepingcomputer.com/ne...ign-smuggles-malware-via-html-and-javascript/

A new attack campaign uses a combination of HTML smuggling techniques and data blobs to evade detection and download malware.
Dubbed Duri, the campaign exploits the JavaScript blob method which generates the malicious file in the web browser, thus avoiding detection by sandboxes and proxies.
What is HTML smuggling?
HTML smuggling uses a combination of JavaScript, HTML5, and its technologies such as "data:" URLs to generate the payload on the fly and serve file downloads from within the browser, rather than a direct URL pointing to a server.

"With Duri, the entire payload is constructed on the client-side (browser), so no objects are transferred over the wire for the sandbox to inspect," states Menlo's report.
For those interested, Stan Hegt of Outflank, explains the technique perfectly.
Click to expand...

Dissecting the Duri's payload
As shown, a ZIP file is generated from nothing but the JavaScript code. At the end of its execution, the script prompts the download of this archive in the web browser.

Digging deeper, the researchers observed the JScript carried out the following actions: [...]
The researchers expect these evasive techniques to be incorporated in future iterations of attacks as well.

"Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it," says Menlo Security.
Click to expand...

mood · Jul 26, 2021

Microsoft warns of weeks-long malspam campaign abusing HTML smuggling
July 26, 2021
https://therecord.media/microsoft-warns-of-weeks-long-malspam-campaign-abusing-html-smuggling/

The Microsoft security team said it detected a weeks-long email spam campaign abusing a technique known as “HTML smuggling” to bypass email security systems and deliver malware to user devices.
HTML smugging, as explained by SecureTeam and Outflank, is a technique that allows threat actors to assemble malicious files on users’ device by clever use of HTML5 and JavaScript code.

The technique is not new and has been known at a theoretical level since the mid-2010s and abused by malware operators since at least 2019 and also spotted throughout 2020.
Click to expand...

In a series of tweets on Friday, Microsoft said it’s been tracking an email spam campaign that has been going on for weeks that has been abusing HTML smuggling to drop a malicious ZIP file on user devices.

The JavaScript file connects to a malicious website to download another ZIP file with a .PNG file name extension, which contains two DLLs and one .EXE file. One of the DLL files is the payload: the banking Trojan Casbaneiro, which is loaded via DLL sideloading.
— Microsoft Security Intelligence (@MsftSecIntel) July 23, 2021
While Microsoft said Microsoft Defender for Office 365 could detect files dropped via HTML smuggling, the OS maker raised a sign of alarm on Friday for users who are not its customers or do not use email security products to scan incoming emails and who may not be aware of the technique.
Click to expand...

EASTER · Jul 26, 2021

In a series of tweets on Friday, Microsoft said it’s been tracking an email spam campaign that has been going on for weeks that has been abusing HTML smuggling to drop a malicious ZIP file on user devices.
The JavaScript file connects to a malicious website to download another ZIP file with a .PNG file name extension, which contains two DLLs and one .EXE file. One of the DLL files is the payload: the banking Trojan Casbaneiro, which is loaded via DLL sideloading.
— Microsoft Security Intelligence (@MsftSecIntel) July 23, 2021
While Microsoft said Microsoft Defender for Office 365 could detect files dropped via HTML smuggling, the OS maker raised a sign of alarm on Friday for users who are not its customers or do not use email security products to scan incoming emails and who may not be aware of the technique.
Click to expand...

Doesn't Microsoft ever do any real work or effort testing for such on their own dang systems? No. They shove them out the door and cope with the fallouts later as usual.

mood · Jul 31, 2021

Reports Point to Uptick in HTML Smuggling Attacks
Menlo Security and Microsoft report recent campaigns implementing the technique, which helps attackers stealthily deliver malware.
July 30, 2021
https://www.darkreading.com/attacks-breaches/reports-point-to-uptick-in-html-smuggling-attacks

An attack could start with a phishing email or Web browsing, says Vinay Pidathala, director of security research at Menlo Security, where the team has been tracking an HTML smuggling campaign called ISOMorph.
The ISOMorph campaign isn't the only one in recent years to make use of HTML smuggling. Last summer, Menlo Security's team identified another campaign, called Duri, which similarly leveraged the technique to deliver malware.
Click to expand...

Microsoft's security team has also recently reported attackers are increasingly using HTML smuggling, in phishing and other email campaigns, to deliver threats. In a campaign the team has been tracking for weeks, attackers send emails with malicious links that, when licked, drop components embedded in an HTML page via HTML smuggling.
A Growing Threat
In the blog post on their findings, Menlo Security researchers say the re-emergence of HTML smuggling could be linked to the global increase in remote work. Because it helps attackers bypass sandboxes, legacy proxies, and firewalls, the method could appeal to attackers seeking to target people who spend many hours working remotely using browser-based applications.

"The most crucial aspect is the evasion aspect," says Pidathala. "A typical enterprise has X number of network security appliances, and half the battle for the attacker is done when they're able to get their payload onto the endpoint … using HTML smuggling, they're able to do half of what they need to successfully compromise the endpoint."
Click to expand...

The use of legitimate applications in cybercrime makes it even easier for these attacks to fly under the radar. Pidathala adds: "It's getting extremely difficult for security practitioners to identify what's good and what's bad."
Click to expand...

Menlo Security: ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign

Menlo Security has been closely monitoring an attack we are naming ISOMorph. ISOMorph leverages HTML Smuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy proxies. Isolation prevents this attack from infecting the endpoint. Here’s what we know:
Click to expand...

mood · Nov 12, 2021

Microsoft warns of surge in HTML smuggling phishing attacks
November 12, 2021
https://www.bleepingcomputer.com/ne...-of-surge-in-html-smuggling-phishing-attacks/

Microsoft has seen a surge in malware campaigns using HTML smuggling to distribute banking malware and remote access trojans (RAT).

While HTML smuggling is not a new technique, Microsoft is seeing it increasingly used by threat actors to evade detection, including the Nobelium hacking group behind the SolarWinds attacks.
HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in encoded strings in an HTML attachment or webpage. These strings are then decoded by a browser when a user opens the attachment or clicks a link.
Click to expand...

Deployment cases
Microsoft researchers have seen this technique used in Mekotio campaigns that deliver banking trojans and also in highly-targeted NOBELIUM attacks.

HTML smuggling campaigns are also used to drop the AsyncRAT or NJRAT remote access trojans, or the TrickBot trojan used to breach networks and deploy ransomware.
The attacks usually start with a phishing email containing an HTML link in the body of the message or a malicious HTML file as an attachment.
Click to expand...

A 2020 report from Menlo Security also mentions the Duri malware group as one of the actors who actively uses HTML smuggling for payload distribution, but the technique was first seen in the wild since at least 2018.

Microsoft first warned about a sudden uptick in this activity in July 2021, urging admins to raise their defenses against it.
Click to expand...

Microsoft: HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.
Click to expand...

Log in or Sign up

Researchers Warn of Active Malware Campaign Using HTML Smuggling

mood Updates Team

mood Updates Team

mood Updates Team

EASTER Registered Member

mood Updates Team

mood Updates Team