Microsoft has flagged a relatively new style of attack, dubbed “HTML smuggling”, which is being used in email campaigns that deploy banking malware and remote access Trojans (RATs), and as part of targeted hacking attacks.
HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. It’s a “highly evasive” malware delivery technique that uses legitimate HTML5 and JavaScript features warns the Microsoft 365 Defender Threat Intelligence Team.
It’s a nasty trick that bypasses standard network perimeter security, such as web proxies and email gateways, since the malware is built inside the network after an employee opens a web page or attachment with the malicious HTML script. So, a company’s network can be hit even if gateway devices check for suspicious EXE, ZIP, or Office documents.
SEE: A winning strategy for cybersecurity (ZDNet special report)
“When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” Microsoft warns.
It’s a practical attack technique because most businesses use HTML and JavaScript to run their business apps. The problem is that there’s been a recent surge in HTML smuggling attacks because cybercriminal groups behind banking malware like Trickbot, RATs and other malware are learning from state-sponsored attackers.
The style of attack is notable because it’s been used by Kremlin-backed hackers – tracked by Microsoft as Nobelium. Since then, it has been adopted by cybercriminals.
And HTML smuggling is an effective technique because the web is vital to business operations. Organizations, for example, can disable JavaScript in the browser, but it’s widely known to be an impractical approach because language is ubiquitous on the web. Microsoft has tried to tighten up Edge security with its Super Duper Secure Mode that turns off the JavaScript JIT compiler. Google also regularly fixes potent bugs in Chrome’s V8 JavaScript engine.
“Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages,” Microsoft explains.
“In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection.”
SEE: The IoT is getting a lot bigger, but security is still getting left behind
Microsoft has found that between July and August there was an uptick in HTML smuggling in campaigns that deliver RATs such as AsyncRAT/NJRAT.
“In September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft attributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as DEV-0193,” says Microsoft.