Microsoft’s cybersecurity (opens in new tab) researchers have noticed an uptick in the use of a malware (opens in new tab) delivery technique known as HTML smuggling in email campaigns that deploy banking malware, remote access Trojans (RATs), and other malicious payloads.
HTML smuggling enables attackers to conceal an encoded script within a specially crafted HTML attachment, which assembles the malicious payload right on the victim’s machine.
“This technique is highly evasive because it could bypass standard perimeter security controls, such as web proxies and email gateways (opens in new tab), that often only check for suspicious attachments (for example, EXE, ZIP, or DOCX) or traffic based on signatures and patterns,” note (opens in new tab) the researchers.
The technique proves to be effective against most protection solutions like antivirus apps (opens in new tab) and firewalls (opens in new tab) because they only see what appears to be non-threatening HTML and JavaScript (opens in new tab) traffic, which the researchers can also be obfuscated to further trick the protection mechanisms.
Malware silk route
The researchers share that HTML smuggling has been popularly used in banking malware campaigns, against targets in Brazil, Mexico, Spain, Peru, and Portugal. Furthermore, beyond banking malware campaigns, sophisticated, and targeted cyberattacks have also been observed to incorporate HTML smuggling in their arsenal.
They note that between July and August, open source (opens in new tab) intelligence (OSINT) community signals showed an uptick in the use of HTML smuggling in campaigns that deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT, followed by an email campaign in September that leveraged HTML smuggling to deliver the Trickbot malware.
“The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques,” note the researchers, adding how Microsoft 365 (opens in new tab) Defender uses multiple techniques including machine learning (ML (opens in new tab)) to protect against such threats.