Trustwave SpiderLabs researchers have cited an increased prevalence of HTML smuggling activity whereby cyber criminal groups abuse the versatility of HTML in combination with social engineering to distribute malware.
The firm has detailed four recent HTML smuggling campaigns attempting to lure users into saving and opening malicious payloads, impersonating well-known brands such as Adobe Acrobat, Google Drive, and the US Postal Service to increase the chances of users falling victim.
It is not a new attack method, but it has grown in popularity since Microsoft started blocking macros in documents from the internet by default, Trustwave SpiderLabs wrote. The four malware strains that have recently been detected using HTML smuggling in their infection chain are Cobalt Strike, Qakbot, IcedID, and Xworm RAT, the firm added.
HTML smuggling attacks difficult to stop
HTML smuggling attacks can be challenging to prevent and protect against, Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells CSO.
“Users often know to avoid unexpected attachments in formats like Word DOCX or PDF, but unfortunately, HTML files are often considered safe. HTML attachments happen quite a bit, especially when HTML formatting of an email gets stripped to plain text and then attached to the email itself.”
When brand impersonation is involved, things can be even more tricky, Sigler adds. “If users will think that Google Drive or Acrobat is telling them that there’s an issue with a file they need to open, they could then trust that it’s Adobe or Google telling them to use the local copy.
"This is a very common technique among phishers. Users should understand that HTML files attached to unexpected emails are just as great a risk as any other malicious attachment.”
Cobalt Strike HTML smuggling campaign detected in December 2022
In December, Trustwave SpiderLabs uncovered a spam email HTML attachment dropping Cobalt Strike via Adobe PDF viewer-themed impersonation.
“When the HTML is loaded, it drops an ISO file containing an LNK [Windows Shortcut] file that, when clicked, launches the payload execution sequence,” the company wrote.
“The LNK file starts PowerShell to execute the PowerShell script masqueraded in a ‘.log’ extension rather than ‘.ps1’. Modifying the extension attempts to evade defences and tricks the user into thinking that it is a typical log file.”
The initial PowerShell script sets the groundwork for the successful execution of the Cobalt Strike payload and checks if the target system is part of a domain, the research added.
Microsoft Defender’s real-time monitoring is then disabled before an LNK shortcut file is created pointing to the Cobalt Strike payload in the start-up folder. “Otherwise, it loads the decoy PDF document and terminates the sequence. To conceal the malicious activity, the script loads the decoy PDF document before launching the main payload.”
Qakbot using HTML smuggling since June 2022
Qakbot has been using HTML smuggling since June 2022, Trustwave SpiderLabs wrote. It involves impersonation of Google Drive and tricks users into clicking a HTML attachment, which causes an encrypted ZIP archive to be saved to disk.
IcedID/Bokbot HTML smuggling campaign uses email threat hijacking
Malware strain IcedID (or Bokbot) has also been observed using HTML smuggling of late, showing some similarities with Qakbot in terms of delivery method, according to Trustwave SpiderLabs.
“In this sample, IcedID was delivered through a thread-hijacked email with an HTML attachment,” the firm stated. A thread-hijacked email contains malicious messages, links, or attachments that are inserted by threat actors into a legitimate email conversation.
“After loading in the browser, the HTML, impersonating a PDF document viewer [Adobe], drops a password-protected ZIP archive with an embedded ISO disk image file,” the researchers wrote. “The HTML template contains the archive’s password. Inside the ISO file is an LNK file, a decoy PNG image, and the IcedID DLL.”
Clicking the LNK file starts the command line to load the decoy PNG image, while in the background, rundll32 loads the initial IcedID DLL with the PluginInit parameter. IcedID has implemented a range of delivery methods since 2017, favouring email as its initial access vector, Trustwave SpiderLabs said.
Xworm RAT HTML smuggling campaign impersonates US Postal Service
The fourth HTML smuggling sample uncovered by Trustwave SpiderLabs was an Xworm RAT, which is a .NET-compiled malware capable of monitoring user activities including keystrokes and screen activities.
“The email purports to be from the US Postal Service with the subject line reading “Your shipment is out for delivery” and includes an HTML file attachment. When the recipient opens the HTML, it will be loaded in the browser and automatically drops an ISO disk image to the target system,” Trustwave SpiderLabs wrote.
The ISO file contains a Visual Basic Script (VBS) file, which the user must open for it to be mounted and double-click the VBScript code for the infection chain to continue.
“When executed, the VBScript code launches PowerShell commands to retrieve two encoded blobs.” The second blob is the main payload which turns out to be an Xworm RAT, according to Trustwave SpiderLabs.
How to prevent, mitigate HTML smuggling risks
To help stop and mitigate HTML smuggling risks, teams in charge of preventing phishing and spam should revisit their email gateway solution to make sure that it handles threats like HTML smuggling, Sigler says.
“Most email gateways and spam filters are adjusting to this trend and should be able to filter out most of these attacks. However, for emails that do arrive in someone’s inbox, security awareness training needs to be updated to communicate the risks to end users.”
What’s more, email admins may want to institute an allow list for users that are allowed to send attachments, while stripping attachments out from unknown external sources, he adds.