Microsoft has identified a new type of attack known as “HTML smuggling.” It is used in email campaigns to distribute banking malware and remote access Trojans (RATs) as well as in targeted hacking attempts.
Because the virus is produced inside the network when an employee accesses a web page or attachment with the malicious HTML script, it gets over traditional network perimeter security measures like web proxies and email gateways. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company’s network might be compromised.
Between July and August, Microsoft discovered an increase in HTML smuggling campaigns that transmit RATs like AsyncRAT/NJRAT. Microsoft said that they witnessed an email campaign in September that used HTML smuggling to deploy Trickbot. The company also attributed this Trickbot effort to a new, financially driven cybercriminal gang known as DEV-0193.