Reports Point to Uptick in HTML Smuggling Attacks

HTML smuggling may not be a new technique, but it is generating new attention as a threat to watch in reports of recent attack campaigns that use the method to stealthily deliver malware.

The tactic helps attackers bypass network security tools by using the features in HTML5 and JavaScript code to deliver file downloads. Most tools monitor the data coming in and out of the network and flag suspicious code based on patterns or signatures. With HTML smuggling, the payload is constructed within the browser on a target device, so it often slips past unnoticed.

HTML smuggling doesn't exploit a vulnerability or design flaw in the browser. Attackers might include a link in an email that, when clicked, redirects to an HTML page that uses HTML and JavaScript code to compile the payload within the browser. Alternatively, they may send an HTML attachment along with a message convincing the victim to download and open it.

An attack could start with a phishing email or Web browsing, says Vinay Pidathala, director of security research at Menlo Security, where the team has been tracking an HTML smuggling campaign called ISOMorph.

In this campaign, once a victim clicks a malicious link or downloads an attachment, the first-stage payload is an ISO file — a file type often preferred by attackers because it doesn't require any third-party software to install, Menlo Security researchers note in a blog post. This ISO file contains a malicious script that, once executed, fetches additional PowerShell scripts. Researchers identified several different malicious scripts being used in this campaign.

"After they click the link, everything is constructed on the browser itself," Pidathala says.

The malicious PowerShell script checks for, and disables, antivirus systems. It also downloads additional payloads from Discord, which attackers used to host malicious payloads for this campaign. Pidathala says this is noteworthy, as the chat platform reportedly has over 150 million active users who use it to communicate via text and voice messages.

ISOMorph's final payload is a remote access Trojan (RAT) called AsyncRAT/NJRAT, which has been used by many attackers in the past but predominantly used to compromise high-value targets in the Middle East, researchers report. The team is still analyzing this attack activity and cannot share details about the targets or who the attackers are.

The ISOMorph campaign isn't the only one in recent years to make use of HTML smuggling. Last summer, Menlo Security's team identified another campaign, called Duri, which similarly leveraged the technique to deliver malware.

Microsoft's security team has also recently reported attackers are increasingly using HTML smuggling, in phishing and other email campaigns, to deliver threats. In a campaign the team has been tracking for weeks, attackers send emails with malicious links that, when licked, drop components embedded in an HTML page via HTML smuggling.

This ultimately leads to dropping a ZIP archive containing a JavaScript file on a target machine, Microsoft Security Intelligence wrote in a Twitter thread. The JavaScript file connects to a malicious website to download another ZIP file with a .PNG file extension; this contains two dynamic link libraries (DLLs) and one executable file. One of the DLLs is the final payload: a banking Trojan named Casbaneiro, which is loaded using DLL sideloading, researchers report.

A Growing Threat
In the blog post on their findings, Menlo Security researchers say the re-emergence of HTML smuggling could be linked to the global increase in remote work. Because it helps attackers bypass sandboxes, legacy proxies, and firewalls, the method could appeal to attackers seeking to target people who spend many hours working remotely using browser-based applications.

"The most crucial aspect is the evasion aspect," says Pidathala. "A typical enterprise has X number of network security appliances, and half the battle for the attacker is done when they're able to get their payload onto the endpoint … using HTML smuggling, they're able to do half of what they need to successfully compromise the endpoint."

The use of HTML smuggling among high-profile attack groups could also be driving the increase. Nobelium, the group behind last year's SolarWinds supply chain attack, also used the tactic, Microsoft reports in a breakdown of the group's techniques.

Attackers' use of Discord in the ISOMorph campaign should be a sign for organizations to take a closer look at the cloud applications they use, Pidathala adds. This isn't the first attack campaign to use Discord; however, it's interesting to see both the chat app and HTML smuggling used together to evade detection.

"It's super important that enterprises understand their cloud application posture," Pidathala says, noting they should "understand what cloud applications are needed for their business and what are needed, and then outright block such kind of cloud applications."

The use of legitimate applications in cybercrime makes it even easier for these attacks to fly under the radar. Pidathala adds: "It's getting extremely difficult for security practitioners to identify what's good and what's bad."