Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HTML smuggling. Show all posts

DCRat Malware Propagates via HTML Smuggling

 

Russian-speaking customers have been targeted in a new campaign aimed at distributing a commodity trojan known as DCRat (aka DarkCrystal RAT) using HTML smuggling. 

This is the first time the malware has been propagated via this technique, which differs from past delivery channels such as hijacked or bogus websites, phishing emails with PDF attachments, or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde stated in an analysis published last week. "The payload can be embedded within the HTML itself or retrieved from a remote resource.” 

The HTML file, in turn, can be distributed through fraudulent websites or malspam operations. When the file is launched from the victim's web browser, the hidden payload is decrypted and downloaded to the system. The assault subsequently relies on some form of social engineering to persuade the victim to open the malicious payload. 

Netskope claims to have identified HTML pages in Russian that, when opened in a web browser, automatically download a password-protected ZIP bundle to disc in an attempt to avoid discovery. The ZIP payload contains a nested RarSFX package, which eventually leads to the DCRat malware deployment. 

DCRat, which was first launched in 2018, can be used as a full-fledged backdoor and can be used with various plugins to expand its capabilities. It can run shell commands, record keystrokes, and exfiltrate data and credentials, among other things. Organisations should check HTTP and HTTPS traffic to verify that systems do not communicate with malicious domains. 

The development comes as Russian businesses have been targeted by a threat cluster known as Stone Wolf, which tried to infect them with Meduza Stealer by sending phishing emails posing as legitimate providers of industrial automation systems. 

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE noted. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments.” 

It also comes after the rise of malicious campaigns that most likely used generative artificial intelligence (GenAI) to write VBScript and JavaScript code used to propagate AsyncRAT via HTML smuggling. 

"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security stated. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”

Phishing Campaigns Exploit Cloudflare Workers to Harvest User Credentials

 

Cybersecurity researchers are raising alarms about phishing campaigns that exploit Cloudflare Workers to serve phishing sites designed to harvest user credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers to act as a reverse proxy for legitimate login pages, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens, according to Netskope researcher Jan Michael Alcantara. 

Over the past 30 days, the majority of these phishing campaigns have targeted victims in Asia, North America, and Southern Europe, particularly in the technology, financial services, and banking sectors. The cybersecurity firm noted an increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with a spike in the number of distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. The phishing campaigns utilize a technique called HTML smuggling, which uses malicious JavaScript to assemble the malicious payload on the client side, evading security protections. 

Unlike traditional methods, the malicious payload in this case is a phishing page reconstructed and displayed to the user on a web browser. These phishing pages prompt victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. If users follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. "The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Alcantara said. 

Once victims enter their credentials, the attackers collect tokens and cookies from the responses, gaining visibility into any additional activity performed by the victim post-login. HTML smuggling is increasingly favored by threat actors for its ability to bypass modern defenses, serving fraudulent HTML pages and other malware without raising red flags. One highlighted instance by Huntress Labs involved a fake HTML file injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. This method enables MFA-bypass AitM transparent proxy phishing attacks using HTML smuggling payloads with injected iframes instead of simple links. 

Recent phishing campaigns have also used invoice-themed emails with HTML attachments masquerading as PDF viewer login pages to steal email account credentials before redirecting users to URLs hosting "proof of payment." These tactics leverage phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM technique. The financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway have been top targets. 

Threat actors are also employing generative artificial intelligence (GenAI) to craft effective phishing emails and using file inflation methods to evade analysis by delivering large malware payloads. Cybersecurity experts underscore the need for robust security measures and oversight mechanisms to combat these sophisticated phishing campaigns, which continually evolve to outsmart traditional detection systems.

Threat Actors Prefer Archive Files for Deploying Malware Infections


Hackers prefer archive files, not MS Office

Archive files like .zip and .rar formats are now popular ways of distributing malware infections. HP Wolf Security report findings conclude that MS office documents weren't the most popular file format used in malware attacks. The company's third-quarter report reveals that archive files showed a 42% attack share, whereas Office recorded a 40% share. 

The report also noticed a sharp rise in popularity for archives, as the formats have seen their usage increase up to 22% since the first quarter of the year. As per the HP Wolf Security team, hackers prefer archive files because they are difficult to detect. 

"Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware. Moreover, many organizations use encrypted archives for legitimate reasons, making it challenging to reject encrypted archive email attachments by policy," the report said. 

Rise in HTML Smuggling Attacks

Besides the increase in archive files, HP Wolf Security logged a rise in "HTML smuggling" attacks, which, likewise, can escape security measures by using common file types. 

In this case, the user is sent a malicious PDF file containing loads of HTML. When opened, the PDF redirects the user to a fake downloader page for a common reader like Adobe Acrobat. After this, the page attempts to offer an archive file containing the actual malware payload. 

Threat actors prefer Qakbot malware strain

The researchers found that one group in particular, "Qakbot", favors the HTML smuggling technique to get its malware into the end user machines. The group, which went on a rampage during the summer, has restarted its activities. 

Qakbot is a highly effective malware strain that has been used by hackers to steal data and deploy ransomware. Most of these rising campaigns depend on HTML, aiming to compromise systems, moving away from malicious Office documents as the standard delivery method for the malware strain. 

At last, the team discovered that a traditional approach to ransomware is making a comeback. Magniber, aka  "single client ransomware" operation, profits not by attacking big organizations and asking multi-million dollar ransoms but instead it seeks individual PCs, locking up the data and asking users for a $2,500 payout.

The method goes back to the early times of ransomware when individual systems were attacked en masse with hopes of achieving a greater number of successful infections and ransom payments. 

Alex Holland, a senior malware analyst at HP said:

"Every threat actor has a different set of capabilities and resources that factor into what tactics, techniques, and procedures they use. Targeting individuals with single-client ransomware like Magniber requires less expertise, so this style of attack may appeal to threat actors with fewer resources and know-how who are willing to accept lower ransoms from victims"


Microsoft Issued a Warning About a Rise in HTML Smuggling Phishing Attacks

 

Malware campaigns that use HTML smuggling to transmit banking malware and remote access trojans (RAT) have increased, according to Microsoft. While HTML smuggling is not a new tactic, it is increasingly being employed by threat actors to avoid detection, such as the Nobelium hacking organization behind the SolarWinds attacks. 

HTML smuggling is a nasty method that gets through traditional network perimeter security measures like web proxies and email gateways because the malware is created within the network after an employee opens a web page or attachment that contains a malicious HTML script. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company's network can be compromised. 

"When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall," Microsoft warns. 

HTML smuggling is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. A phishing HTML attachment, for example, could include a harmless link to a well-known website, making it appear non-malicious. When a user clicks on the link, however, JavaScript decodes an encrypted or encoded string in the link and converts it into a harmful attachment that is downloaded instead. 

Because the malicious payload is encoded at first, security software does not recognize it as harmful. Furthermore, because JavaScript assembles the payload on the target machine, it gets around any firewalls and security measures that would normally stop the malicious file from getting past the perimeter. 

"Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages," Microsoft explains. "In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection." Between July and August, Microsoft discovered an increase in HTML smuggling in campaigns that transmit RATs like AsyncRAT/NJRAT.

Hackers Applying HTML Smuggling To Distribute Malware

 

Another latest spam E-mail operation, which abused a technique named "HTML smuggling" to circumvent E-mail security measures and transmit malware on users' devices, was identified by Microsoft's security team. This campaign has been going on for weeks. 

Microsoft Corporation is an international American technology firm that develops computer software, consumer devices, computers, and associated services. 

HTML smuggling is a method used to overcome security systems by malicious HTML generation behind the firewall - in the browser at the targeted endpoint. 

Sandboxes, proxies, and sandboxes leveraging HTML5 and JavaScript characteristics bypass the conventional network security methods such as E-mail scanners. This is by producing the destructive HTML code on the target device in the browser that is already located within the network security perimeter. 

Typically network security solutions work by analyzing the 'wire' or information flows from the network to search for identified malware signatures and trends within the byte stream. The destructive payloads are built on the target device in the browser through the use of HTML smuggling so that no items are passed to the network's security systems for detection. 

The underlying concept behind an HTML email-based counterfeits is to include a link to an email document, which does not look harmful if it is scanned, or to a file type that email security programs, like EXE, DOC, MSI, and others, deem to be harmful. 

Furthermore, it does employ certain HTML elements, such as "href" and "download," as well as JavaScript code, while accessing the URL for an assembled harmful file within the browser. 

This approach isn't new and has been known since the mid-2010s, theoretically and malware programmers have used it from at least 2019 and have been detected throughout 2020. 

Microsoft stated in a series of tweets on Friday that it tracked an e-mail spam campaign that lasted weeks abusing HTML smuggling to put a destructive ZIP file on machines. 

Files in the ZIP file, unfortunately, infect the users with the banking trojan Casbaneiro (Metamorfo). Casbaneiro is indeed a traditional Latin American bank Trojan that focuses on Brazilian and Mexican banks and cryptocurrency services. It leverages the method of social engineering, which displays false pop-up windows. These pop-ups attempt to entice potential victims to provide critical information; this information is stolen if it succeeds. 

Although Microsoft has announced that Microsoft Defender for Office 365 might recognize HTML-contracted files, OS maker raises a warning on Friday for customers who are not their clients or those who are unaware of the technology or do not have email security devices that scan incoming emails.