Microsoft has seen a surge in malware campaigns that use HTML smuggling to distribute banking malware and remote access Trojans (RATs).
While HTML smuggling is not a new technique, Microsoft sees it increasingly being used by threat actors to evade detection, including the Nobelium hacker group behind SolarWinds attacks.
How HTML smuggling works
Cases of distribution
Microsoft researchers have seen this technique used in Mekotio campaigns delivering banking trojans and also in highly targeted NOBELIUM attacks.
HTML smuggling campaigns are also used to eliminate AsyncRAT or NJRAT remote access trojans or the TrickBot trojan used to breach networks and distribute ransomware.
Attacks usually start with a phishing email containing an HTML link in the body of the message or a malicious HTML file as an attachment.
In some cases, the archives created are password protected for further circumvention of detection against endpoint security checks. However, the password to open it is provided in the original HTML attachment, so the victim has to enter it manually.
Once the script is started, a base64-encoded PowerShell command is executed that downloads and installs the TrickBot trojan or other malware.
A 2020 report from Menlo security It also mentions the Duri malware group as one of the actors actively using HTML smuggling for payload distribution, but the technique has been first seen in the wild since at least 2018.
Microsoft first warned of a sudden surge in this activity in July 2021, urging administrators to raise their defenses against it.
How to defend against HTML smuggling
Microsoft suggests administrators use rules of conduct to verify common characteristics of HTML smuggling, including:
- An attachment is password protected
- An HTML file contains suspicious script code
For endpoints, administrators should block or control activity associated with HTML smuggling, including:
- Blocks execution of potentially obfuscated scripts
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Ultimately, the best defense is to train users not to open downloaded files via links in emails and attachments. All files downloaded from an email should be treated with caution and carefully checked before opening.
Unfortunately, Windows disables the display of file extensions by default, leading in many cases to not seeing the extensions. Here’s why it is always suggested that users allow file extensions to be displayed to prevent malicious files from being opened.