Like creating various malware variants, cybercriminals often find new techniques to deploy malware and evade security scans. As per a report from Microsoft 365 Defender Threat Intelligence Team, adversaries are increasingly relying on HTML smuggling techniques in email phishing and malware campaigns to obtain access and infect a network or system with an array of malware variants. These include banking malware, ransomware, and remote access trojans (RATs).
The report stated that attackers also distributed Mekotio banking Trojan, malware backdoors like AsyncRAT and NjRAT, and the infamous TrickBot malware to gain the initial control of the compromised systems and deploy ransomware payloads.
What is HTML Smuggling?
The HTML smuggling method is highly evasive. It could bypass standard perimeter security controls like web proxies and email gateways, which only check for suspicious attachments like EXE, ZIP, or DOCX.
NOBELIUM Group Used HTML Smuggling
Microsoft researchers stated this technique was observed in a spear-phishing campaign by the infamous NOBELIUM – a Russian state-sponsored group allegedly behind the SolarWinds hacks, the SUNBURST backdoor, GoldMax malware, and the TEARDROP malware campaigns. The researchers stated the malicious email campaign leveraged an HTML file attachment, which, when opened by the victim, uses HTML smuggling to download the primary payload on the targeted device.
How to Detect HTML Smuggling?
Microsoft recommended security admins to use behavior rules to identify the common characteristics of HTML smuggling, which include:
- An attachment is password-protected
- An HTML file contains a suspicious script code
For endpoints, security admins can prevent HTML smuggling activities by:
- Blocking execution of potentially obfuscated scripts
- Blocking executable files from running unless they meet a prevalence, age, or trusted list criterion