Microsoft has identified a surge in malware campaigns that use HTML smuggling to distribute banking malware and remote access trojans (RATs).
Microsoft has seen an increase in the use of HTML smuggling by attackers to evade detection, including the Nobelium hacking group that conducted the SolarWinds attack.
What is HTML smuggling (HTML smuggling)?
HTML smuggling is a technique used in phishing attacks that uses HTML5 and JavaScript to hide malicious payloads within encoded strings in HTML attachments and web pages. When a user opens an attachment or clicks on a link, these strings are decoded by the browser.
For example, a phishing HTML attachment is not considered malicious because it contains a harmless link to a known web site.
However, when the user clicks on that link, it decrypts the encrypted or encoded string containing the JavaScript and converts it into a malicious attachment to be downloaded instead, as shown in the code below.
Malicious payloads are first encrypted, so they appear harmless to security software and will not be detected as malicious.
In addition, as JavaScript assembles its payload on the target system, it bypasses firewalls and security defenses that normally catch malicious files at the perimeter.
Microsoft has confirmed that this technology is used in the Mekotio attack, which delivers a banking Trojan, and in the highly targeted NOBELIUM attack.
HTML smuggling Kunigeki is also used to drop remote access Trojans such as AsyncRAT and NJRAT, as well as TrickBot Trojans to infiltrate networks and deploy ransomware.
This type of attack is usually initiated by a phishing email that contains an HTML link in the body of the message or an attachment of a malicious HTML file.
When either of these is clicked, the ZIP file will be dropped using HTML smuggling.
This archive contains a JavaScript file downloader that fetches additional files from the command and control server (C2) for installation on the victim’s device.
The created archive may be password-protected to further increase detection evasion of endpoint security controls, but the password to open it is provided in the original HTML attachment, so the victim must enter it manually. The password to open it is provided in the original HTML attachment, so the victim has to enter it manually.
When the script starts, it executes Base64-encoded PowerShell commands that download and install the TrickBot Trojan and other malware.
Menlo Security’s 2020 report also cites the Duri malware group as one of the attackers actively using HTML smuggling to distribute payloads
Microsoft first warned of this rapid increase in activity in July 2021, and recommended that administrators increase their defenses against this activity.
How to defend against HTML smuggling
Microsoft suggests that administrators use behavioral rules to check for common characteristics of HTML smuggling, such as
- Attachment zip file contains JavaScript
- Attachment is password protected
- HTML file contains suspicious script code
- HTML file decodes Base64 code or obfuscates JavaScript
On endpoints, administrators need to block or audit activities related to HTML smuggling, such as the following.
- Block JavaScript or VBScript to launch downloaded executable content
- Block execution of potentially obfuscated scripts
- Block execution of executables unless they meet trusted list criteria
In addition to the above, users can prevent the automatic execution of JavaScript code by designating a text editor, such as Notepad, as the executable application for .js and .jse files.
In the end, the best defense is to educate users not to open downloaded files via email links or attachments.
All files downloaded from email should be handled with care and checked carefully before opening.
Additionally, if you download an attachment or email link with an extension ending in .js (JavaScript), never open it and it should be deleted automatically.
Unfortunately, Windows disables the display of file extensions by default, so extensions are often not displayed. Therefore, it is recommended that users always enable the display of file extensions to prevent malicious files from being opened.
A real-world example of an attack using HTML smuggling
Attacks by DEV-0238 (aka Mekotio) and DEV-0253 (aka Ousaban) targeting Brazil, Mexico, Spain, Peru, and Portugal use HTML smuggling. In one of the Mekotio attacks observed by Microsoft, the attacker sent an email containing a malicious link.
Click on the link to start the HTML smuggling method
This attack implements the HTML smuggling technique to drop a malicious downloader file, hxxp://poocardy[.]. net/diretorio/, a malicious web site, is used to drop the malicious downloader file.
In the Mekotio campaign’s HTML smuggling page, the “href” tag references a JavaScript Blob of octet/stream type in order to download a malicious ZIP file.
It should be noted that this attack relies on social engineering and user interaction, when a user clicks on a link sent by email, the HTML page downloads a ZIP file with an embedded obfuscated JavaScript file. Download.
When the user opens the zip file and executes the JavaScript, the script will be saved in hxxps://malparque[.] org/rest/restfuch[.] png and downloads another ZIP file disguised as a PNG file. This second ZIP file contains the following files related to DAEMON Tools.
- sptdintf.dll – This is a harmless file; various virtual disk applications, including DAEMON Tools and Alcohol 120%, use this dynamic link library (DLL) file.
- imgengine.dll – This is a malicious file that has been Themida-packed or VMProtected for obfuscation. It accesses the target’s geographical information and attempts to steal credentials and keylogging.
- Randomly named executable: This is a renamed version of a legitimate file called “Disc Soft Bus Service Pro”. This legitimate file is part of DAEMON Tools Pro and will load both DLLs.
Finally, when the user executes the primary executable (a renamed canonical file), it will launch and load a malicious DLL via DLL sideloading.
As mentioned, this DLL file is attributed to Mekotio, a banking Trojan malware family that has been targeting Latin American industries since late 2016, usually deployed on Windows systems.
Comments