Malware campaigns that use HTML smuggling to transmit banking malware and remote access trojans (RAT) have increased, according to Microsoft. While HTML smuggling is not a new tactic, it is increasingly being employed by threat actors to avoid detection, such as the Nobelium hacking organization behind the SolarWinds attacks.
HTML smuggling is a nasty method that gets through traditional network perimeter security measures like web proxies and email gateways because the malware is created within the network after an employee opens a web page or attachment that contains a malicious HTML script. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company's network can be compromised.
"When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall," Microsoft warns.
HTML smuggling is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. A phishing HTML attachment, for example, could include a harmless link to a well-known website, making it appear non-malicious. When a user clicks on the link, however, JavaScript decodes an encrypted or encoded string in the link and converts it into a harmful attachment that is downloaded instead.
Because the malicious payload is encoded at first, security software does not recognize it as harmful. Furthermore, because JavaScript assembles the payload on the target machine, it gets around any firewalls and security measures that would normally stop the malicious file from getting past the perimeter.
"Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages," Microsoft explains. "In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection." Between July and August, Microsoft discovered an increase in HTML smuggling in campaigns that transmit RATs like AsyncRAT/NJRAT.