Microsoft has identified a new type of attack known as “HTML smuggling.” It is used in email campaigns to distribute banking malware and remote access Trojans (RATs) as well as in targeted hacking attempts.
An attacker can “smuggle” an encoded malicious script into a cleverly engineered HTML attachment or web page via HTML smuggling. The Microsoft 365 Defender Threat Intelligence Team cautions that it’s a “very elusive” malware distribution approach that uses genuine HTML5 and JavaScript elements.
Because the virus is produced inside the network when an employee accesses a web page or attachment with the malicious HTML script, it gets over traditional network perimeter security measures like web proxies and email gateways. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company’s network might be compromised.
As most organizations operate their business apps using HTML and JavaScript, this is a feasible attack approach. The issue is that cybercriminal gangs behind banking malware like Trickbot, RATs, and other malware are learning from state-sponsored attackers, which has resulted in a recent spike in HTML smuggling operations. The attack method is significant since Kremlin-backed hackers dubbed Nobelium by Microsoft have employed it. Cybercriminals have been using it since then.
HTML smuggling is a viable strategy since the internet is critical to business operations. Organizations can, for example, block JavaScript in the browser, although this is often seen as an unfeasible strategy due to the language’s widespread use on the internet. Microsoft’s Super Duper Secure Mode, which disables the JavaScript JIT compiler, aims to improve Edge security. Google also addresses serious vulnerabilities in Chrome’s V8 JavaScript engine regularly.
Between July and August, Microsoft discovered an increase in HTML smuggling campaigns that transmit RATs like AsyncRAT/NJRAT. Microsoft said that they witnessed an email campaign in September that used HTML smuggling to deploy Trickbot. The company also attributed this Trickbot effort to a new, financially driven cybercriminal gang known as DEV-0193.