Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads.
HTML smuggling leverages HTML5/JavaScript for the download of files onto a victim machine, which in this case of these attacks is an encoded malicious script designed to assemble the final payload directly on the victim computer.
Phishing emails are used to either deliver specially crafted HTML attachments or to direct the intended victim to a web page malicious page designed to smuggle the script.
Microsoft said it observed the Chinese threat actor NOBELIUM leveraged the technique in a series of attacks in May, and is now seeing the same method being used to deliver AsyncRAT/NJRAT, Trickbot, and the banking Trojan Mekotio.
Because the malicious payload is built behind the firewall, the technique allows adversaries to easily bypass standard perimeter security controls that check network traffic for suspicious attachments or patterns.
“Because the malicious files are created only after the HTML file is loaded on the endpoint through the browser, what some protection solutions only see at the onset are benign HTML and JavaScript traffic, which can also be obfuscated to further hide their true purpose,” Microsoft said.
[ Related: Ongoing Campaign Uses HTML Smuggling for Malware Delivery ]
The tech giant said it observed HTML smuggling being used in attacks against banking users in Brazil, Mexico, Spain, Peru, and Portugal, where adversaries were looking to infect victim systems with either Mekotio or Ousaban.
The technique is also making its way into the arsenal of sophisticated threat actors, such as NOBELIUM.
In July and August, adversaries employed HTML smuggling to deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT, while in September the method was used to deploy Trickbot, likely by DEV-0193, an emerging financially motivated cybercrime ring.
The threat actor mainly targets healthcare and education organizations, and shows close connections with ransomware operators, such as those behind Ryuk. DEV-0193 seeks to compromise organizations to sell unauthorized access to ransomware operators.
Disabling JavaScript could prevent such attacks, but that option might not be viable within enterprise environments, where business-related pages and other legitimate resources depend on JavaScript. Thus, a multi-layered defensive approach is recommended.
Related: Ongoing Campaign Uses HTML Smuggling for Malware Delivery
Related: IcedID Trojan Operators Experimenting With New Delivery Methods
