HTML Smuggling Phishing Attacks: The New Weapon In Attackers’ Arsenal

HTML Smuggling Phishing Attacks: The New Weapon In Attackers’ Arsenal

HTML smuggling is a highly elusive technique to deliver malware and other malicious files. It is recently revealed by the Microsoft Threat Intelligence Centre (MSTIC) that the use of this attack tactic is on the rise. The attack uses legit JavaScript and HTML5 features to deploy the malware, making it challenging to detect the threat.

The use of HTML smuggling is witnessed in targeted, spear-phishing email campaigns that deliver banking Trojans (such as Mekotio), remote access Trojans (RATs) like AsyncRAT/NJRAT and Trickbot. These types of malware aid cyber adversaries in accessing compromised devices and gaining control over them to deliver ransomware or other payloads.

What is HTML Smuggling?

HTML smuggling gets its name because of the way it is carried out. The attackers launch this attack by smuggling (hiding) an encoded JavaScript blob in an HTML attachment sent via email. Once the victim clicks on and opens the attachment, it opens the browser, which decodes the malformed script. The script is then executed to assemble the malware payload and deploy it onto the compromised computer or host device.

Malware payloads usually have to go across the network when a malicious attachment is opened, or a malicious link is clicked. But in this case, it is created within the host. Thus, it doesn’t have to go through the network as it bypasses email filters responsible for looking for and alerting malicious attachments.

How does it work?

HTML smuggling works by building upon the legit features like the “download” attribute of HTML5 and JavaScript Blob of the respective programming languages. These languages are supported by almost all modern-day browsers, making it possible and easier for attackers to create spiteful files that can be launched from behind the firewall.

For example, the attacker can send a phishing email with an HTML attachment with a link to a known and harmless website. Thus, the victim and the firewalls might not see this as malicious activity. But, when the user clicks this link, which looks harmless, the JavaScript Blob will decode the encrypted or smuggled string within it and convert it into malware or any malicious attachment. Thus, the extension will be downloaded instead of going to the link. The execution will be as shown below.

As you can see in the code above, the malicious payload is encoded initially, making it look harmless to security software. Hence, the security tool will consider it normal and not malicious. Furthermore, when JavaScript assembles the payload on the target system, it will eliminate the need to go through any firewall filters that usually detect such files at the perimeter, bypassing standard detection mechanisms. Here’s a step-by-step process of the HTML smuggling is carried out.

• When a user clicks on the HTML link, it triggers a download of the file referenced in the href tag. For example:

< a href=”/malware/evil.doc” download=”innocent.doc”>Click

When a user clicks on the link, the file ‘evil.doc’ would be saved to the device and named ‘innocent.doc’.

• The same can be achieved using Javascript:

var myAnchorElement = document.createElement(‘a’);

myAnchorElement.download = ‘innocent.doc’; 

• When working with Javascript, the attacker can create this file to be downloaded with the help of a Blob. The JavaScript Blob object is a file-like representation of immutable, raw data. It can be passed to a Javascript API that is expecting a URL. So instead of providing a URL link to the file that needs to be downloaded, it can be created from a blob within the Javascript itself.

var myEvilBlob = new Blob([myEvilFile], {type: ‘octet/stream’}) 

Finally a URL is created using the URL.createObjectURL command. This URL is sent to the API to trigger JvaScript’s click action. This enacts as if a user is clicking on the link to start the download:

var myInnocentUrl = window.URL.createObjectURL(myEvilBlob);

myAnchor.href = myInnocentUrl;

myAnchor.click();

This technique is very effective and evasive as all that the perimeter firewall would see is HTML and Javascript, the normal, expected traffic. However, the attackers here are obfuscating JavaScript to hide the blob’s contents.

Defense against HTML smuggling/ Advice from the SOC:

For endpoints, admins should block or audit activity associated with HTML smuggling, including:

• Block JavaScript or VBScript from launching downloaded executable content
• Block execution of Potentially Obfuscated Scripts
• Any executable can be blocked from running unless they meet prevalence, age, and trusted list creation
• Segment networks for limiting an attacker’s ability to move laterally
• Implementing Endpoint Detection & Response (EDR) can help detect the download and attempted execution of malware delivered by HTML Smuggling techniques to users’ PC
• The malware dropped onto the target system may need to be invoked by the user, in which case Security Awareness Training will help staff spot the attempts to trick them into assisting the malware