A new attack technique called ‘HTML smuggling’, which spreads malware via email, is increasingly targeting banking organizations, Microsoft has claimed.
The attack vector, which surfaced earlier this year, is described by the tech giant as “a highly evasive malware delivery technique” that leverages legitimate HTML5 and JavaScript features to obscure its true actions.
Microsoft said that in recent months, it has witnessed the attack targeting banks via email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads.
A blog post from the vendor explains that it first identified HTML smuggling techniques being deployed back in May, when it was used by nation-state attackers APT29, aka Nobelium, during a spear-phishing campaign.
“More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats,” Microsoft detailed.
The attack
HTML smuggling attacks enable a malicious actor to “smuggle” an encoded script within a specially crafted HTML attachment or web page.
If the target opens the HTML in their web browser, the malicious script is decoded and the payload is deployed on their device.
“Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” the blog explains.
HTML smuggling attacks bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments – EXE, ZIP, or DOCX files, for example – or traffic based on signatures and patterns.
The malicious files are also created after the HTML file is loaded on the endpoint through the browser, meaning that security tools may only see what they deem to be legitimate HTML content and JavaScript traffic before it’s too late.
Timeline
Microsoft has been tracking these attacks since at least May, when it identified the Nobelium campaign.
Since then, it notes, it has seen a number of attempts such as an attack in July and August, when Microsoft said the “open-source intelligence (OSINT) community signals” showed an uptick in HTML smuggling in campaigns that deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT.
In September, researchers also witnessed an email campaign that leverages HTML smuggling to deliver Trickbot, a notorious banking trojan that has targeted worldwide organizations and institutions in the education, healthcare, and finance industry in recent years.
Microsoft has attributed this Trickbot campaign to an “emerging, financially motivated cybercriminal group” it has named ‘DEV-0193’.
DEV-0193 is believed to target organizations primarily in the health and education industries, explained Microsoft.
The vendor said that the group “works closely with ransomware operators, such as those behind the infamous Ryuk ransomware”.
“After compromising an organization, this group acts as a fundamental pivot point and enabler for follow-on ransomware attacks. They also often sell unauthorized access to the said operators.
“Thus, once this group compromises an environment, it is highly likely that a ransomware attack will follow,” Microsoft claims.
The Microsoft blog contains more technical detail on the DEV-0193 campaign.
