Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads.
Phishing emails are used to either deliver specially crafted HTML attachments or to direct the intended victim to a web page malicious page designed to smuggle the script.
Microsoft said it observed the Chinese threat actor NOBELIUM leveraged the technique in a series of attacks in May, and is now seeing the same method being used to deliver AsyncRAT/NJRAT, Trickbot, and the banking Trojan Mekotio.
Because the malicious payload is built behind the firewall, the technique allows adversaries to easily bypass standard perimeter security controls that check network traffic for suspicious attachments or patterns.
The tech giant said it observed HTML smuggling being used in attacks against banking users in Brazil, Mexico, Spain, Peru, and Portugal, where adversaries were looking to infect victim systems with either Mekotio or Ousaban.
The technique is also making its way into the arsenal of sophisticated threat actors, such as NOBELIUM.
In July and August, adversaries employed HTML smuggling to deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT, while in September the method was used to deploy Trickbot, likely by DEV-0193, an emerging financially motivated cybercrime ring.
The threat actor mainly targets healthcare and education organizations, and shows close connections with ransomware operators, such as those behind Ryuk. DEV-0193 seeks to compromise organizations to sell unauthorized access to ransomware operators.