HTML smuggling – a new breed of malware has been identified

HTML smuggling – a new breed of malware has been identified

A flatpack of encoded malicious script invented by state-sponsored hackers is catching on among cybercriminals

Microsoft’s 365 Defender Threat Intelligence Team has identified a new threat vector that it dubbed HTML smuggling – a ZDNet article has reported. The malicious script has been typically used in email campaigns that deliver banking malware or remote access Trojans (RATs).

The unique feature of the recently identified malware is that it’s delivered into the network in a “flat packed” format, which makes it undetectable for standard network perimeter security such as web proxies and email gateways. When an employee opens a web page or an attachment containing the encoded malicious script within its specifically crafted HTML, standard perimeter controls such as web proxies and gateway devices checking for suspicious EXE, ZIP or DOCX files won’t find it. Having slipped through into the network, the browser will decode the malicious script and assemble the payload inside the host device.

The new technique was originally detected as an exploit of state-sponsored actors in May this year, but now its adoption is on the increase among a wide circle of cybercriminals as well. In July and August, HTML smuggling played a major role in campaigns that delivered remote access Trojans (RATs), while in September, the new breed of malware was seen to deliver Trickbot, which targeted organisations in the education, healthcare and finance industries. The cybercriminal group that Microsoft attributed the Trickbot campaign to, works closely with ransomware operators, such as those behind the infamous Ryuk ransomware; therefore, once this group compromises an environment, it is highly likely that a ransomware attack will follow.

One way of mitigating vulnerability to HTML smuggling is disabling Java script – Microsoft, for example, tried to tighten up Edge security with its Super Duper Secure Mode that turns off the JavaScript JIT compiler. However, as most businesses use HTML and Java Script to run their business applications, disabling them is impractical and can’t serve as a strategic defence against the new exploit.

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”” /]