Security News > 2021 > November > Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks
Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans, and ransomware payloads.
HTML smuggling is an approach that allows an attacker to "Smuggle" first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachment or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in modern web browsers.
Nobelium, the threat group behind the SolarWinds supply chain hack, was found leveraging this very tactic to deliver a Cobalt Strike Beacon as part of a sophisticated email-based attack aimed at government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S., earlier this May. Beyond espionage operations, HTML smuggling has also been embraced for banking malware attacks involving the Mekotio trojan, what with the adversaries sending spam emails containing a malicious link that, when clicked, triggers the download of a ZIP file, which, in turn, contains a JavaScript file downloader to retrieve binaries capable of credential theft and keylogging.
In a sign that other actors are taking notice and incorporating HTML smuggling in their arsenal, a September email campaign undertaken by DEV-0193 was uncovered, abusing the same method to deliver TrickBot.
The attacks entail a malicious HTML attachment, which, when opened on a web browser, creates a password-protected JavaScript file on the recipient's system, prompting the victim to supply the password from the original HTML attachment.
"The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques," Microsoft noted.
News URL
https://thehackernews.com/2021/11/hackers-increasingly-using-html.html
Related news
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users (source)
- Australian Organisations Targeted by Phishing Attacks Disguised as Atlassian (source)
- Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials (source)
- FIN7 hackers launch deepfake nude “generator” sites to spread malware (source)
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)