Cybersecurity researchers from Microsoft cautioned users about the rise in the use of a malware delivery method called HTML smuggling.
This is done in email campaigns that would infect unsuspecting target systems with banking malware and remote access trojans (RATs). HTML smuggling allows hackers to hide an encoded script in a specially crafted HTML attachment. It brings those malicious software together within the victim's system.
This method, the Microsoft researchers said, is "highly evasive" and could "bypass perimeter security controls," which include web proxies and email gateways. These controls would often merely check for suspicious attachments with file extensions .EXE, .ZIP, or .DOCX or traffic based on patterns and signatures, the researchers added.
HTML Smuggling Technique Allows Hackers to Bypass Protection Utilities
HTML smuggling is an efficient tool for attackers to bypass protection software such as anti-virus utilities and firewalls, which only detect non-threatening HTML and JavaScript traffic that the hackers obfuscate to further deceive the protection utilities, Tech Radar noted.
Researchers from the Microsoft 365 Defender Threat Intelligence Team said in a blog post that the technique is widely used in deploying banking malware to hit targets in countries such as Portugal, Mexico, Peru, Spain and Brazil. In addition to these campaigns, there are other sophisticated cyberattacks around the world that employ this technique.
The Microsoft researchers observed this rise in HTML smuggling campaigns using open source intelligence (OSINT) community signals last July and August. These campaigns deploy RATs, such as AsyncRAT or NJRAT, before tracking another deployment in September that rode on HTML smuggling to deliver the Trickbot malware.
The rise in HTML smuggling incidents show how hackers are "refining specific components of their attacks by integrating highly evasive techniques," the researchers added. It noted how the Microsoft 365 Defender protection software utilizes several techniques, such as machine learning, to prevent these threats.
HTML smuggling has been used in such banking malware campaigns, such as those attributed to DEV-0238, also known as Mekotio, and DEV-0253, or Ousaban. In a typical HTML smuggling incident, attackers send emails with a malicious link. This link will then direct users to a malicious website that will implement the HTML smuggling technique and deploy the malicious downloader file in the target system.
HTML Smuggling Relies on Social Engineering, User Interaction to Succeed
According to Microsoft's lengthy blog post on the issue, the attack attempt relies on social engineering and user interaction to succeed. This means the attack will not happen if the user doesn't click the emailed hyperlink. However, if they do click on it, the HTML page will download a .ZIP file embedded with an obfuscated JavaScript, as seen in the Mekotio campaign.
If the user opens the .ZIP file and executes the JavaScript, a connection to the malicious website is completed. Another .ZIP file is then downloaded, masquerading as a .PNG image. This second .ZIP file carries two dynamic link library (.DLL) files--one legitimate (sptdintf.dll) and the other malicious (imgengine.dll) that is obfuscated. The latter file accesses geolocation data of the target system and tries credential theft and keylogging. A third file is a legitimate executable file that is renamed to "Disc Soft Bus Service Pro," which loads both the aforementioned .DLLs.
As such, users are warned about opening suspicious emails and avoid clicking links on any of them, especially if the sender is unknown. Defending against HTML smuggling needs "true defense in depth," the researchers continued. Using Microsoft 365 Defender, with its Safe Links and Safe Attachments capabilities and Endpoint Protection Platform and Endpoint Detection and Response features, could offer the needed protection against such attacks, the researchers noted.