A flatpack of encoded malicious script invented by state-sponsored hackers is catching on among cybercriminals
Microsoft’s 365 Defender Threat Intelligence Team has identified a new threat vector that it dubbed HTML smuggling – a ZDNet article has reported. The malicious script has been typically used in email campaigns that deliver banking malware or remote access Trojans (RATs).
The unique feature of the recently identified malware is that it’s delivered into the network in a “flat packed” format, which makes it undetectable for standard network perimeter security such as web proxies and email gateways. When an employee opens a web page or an attachment containing the encoded malicious script within its specifically crafted HTML, standard perimeter controls such as web proxies and gateway devices checking for suspicious EXE, ZIP or DOCX files won’t find it. Having slipped through into the network, the browser will decode the malicious script and assemble the payload inside the host device.
The new technique was originally detected as an exploit of state-sponsored actors in May this year, but now its adoption is on the increase among a wide circle of cybercriminals as well. In July and August, HTML smuggling played a major role in campaigns that delivered remote access Trojans (RATs), while in September, the new breed of malware was seen to deliver Trickbot, which targeted organisations in the education, healthcare and finance industries. The cybercriminal group that Microsoft attributed the Trickbot campaign to, works closely with ransomware operators, such as those behind the infamous Ryuk ransomware; therefore, once this group compromises an environment, it is highly likely that a ransomware attack will follow.