Researchers at Microsoft have cautioned of an increase in HTML-based malware operations that are being employed to spread banking malware and remote access trojans (RAT). Apart from banking malware operations, HTML smuggling is used in various assaults, including more complex, targeted ones. While HTML smuggling is not a new discovery, threat actors, such as the Nobelium hacking organisation behind the SolarWinds assaults, are increasingly employing it to avoid detection.
These attacks typically begin with a phishing email containing an HTML link in the body text or a malicious HTML file as an attachment. When any of these buttons is pressed, a ZIP file is downloaded via HTML smuggling. This bundle includes a JavaScript file downloader that downloads additional files from a command-and-control server (C2) for the victim’s device to install. For added detection evasion against endpoint security restrictions, the produced archives are password-protected in some circumstances. However, the password to open it is supplied in the original HTML file, so the victim must manually input it.
This technique is highly evasive because it can get past conventional security controls, like web proxies and email gateways, which typically only scan for suspicious attachments (EXE, ZIP, or DOCX) or traffic based on signatures and patterns. As the malicious files are generated only after the HTML file is loaded on the endpoint through the browser, some early-stage security systems include innocuous HTML and JavaScript traffic, which can also be disguised to mask their actual identity purpose.
By- Shubhangi Kumari Mishra
(Content Writer, WCSF)