Security News > 2021 > November > Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks
Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans, and ransomware payloads.
HTML smuggling is an approach that allows an attacker to "Smuggle" first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachment or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in modern web browsers.
Nobelium, the threat group behind the SolarWinds supply chain hack, was found leveraging this very tactic to deliver a Cobalt Strike Beacon as part of a sophisticated email-based attack aimed at government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S., earlier this May. Beyond espionage operations, HTML smuggling has also been embraced for banking malware attacks involving the Mekotio trojan, what with the adversaries sending spam emails containing a malicious link that, when clicked, triggers the download of a ZIP file, which, in turn, contains a JavaScript file downloader to retrieve binaries capable of credential theft and keylogging.
In a sign that other actors are taking notice and incorporating HTML smuggling in their arsenal, a September email campaign undertaken by DEV-0193 was uncovered, abusing the same method to deliver TrickBot.
The attacks entail a malicious HTML attachment, which, when opened on a web browser, creates a password-protected JavaScript file on the recipient's system, prompting the victim to supply the password from the original HTML attachment.
"The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques," Microsoft noted.
News URL
https://thehackernews.com/2021/11/hackers-increasingly-using-html.html
Related news
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- DPRK Hackers Steal $137M from TRON Users in Single-Day Phishing Attack (source)
- Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks (source)
- North Korean hackers adopt ClickFix attacks to target crypto firms (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- Open-source malware doubles, data exfiltration attacks dominate (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks (source)