Cybersecurity (opens in new tab) researchers have once again witnessed Discord (opens in new tab) being used to host malicious payloads during an investigation into the increasing use of HTML smuggling.
A previous report from Sophos (opens in new tab) researchers showed the popular gaming-centric messaging platform has unwittingly emerged as the cybercriminals' ally (opens in new tab) as a means to host and distribute malware (opens in new tab).
Now, researchers at Menlo Security deconstructing a new attack have also found threat actors using Discord for hosting malicious payloads.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- These are the best endpoint protection tools
- Shield yourself with these best identity theft protection services
- Here's our choice of the best malware removal software on the market
Named ISOMorph, the campaign uses HTML smuggling to drop the first stage malware through the web browser (opens in new tab).
Attack the browser
The researchers explain that HTML smuggling helps deliver malware by effectively bypassing various network security solutions including sandboxes, legacy proxies, and firewalls (opens in new tab).
“We believe attackers are using HTML Smuggling to deliver the payload to the endpoint because the browser is one of the weakest links without network solutions blocking it,” notes Menlo Security in a blog post (opens in new tab) analyzing the ISOMorph campaign.
HTML Smuggling was also used in the most recent spear-phishing campaign (opens in new tab) by the Nobelium group, the threat actor which perpetrated the SolarWinds supply-chain attack (opens in new tab).
Popular with web developers (opens in new tab) as a means to optimize file downloads (opens in new tab), threat actors use HTML smuggling to bypass standard perimeter security, explains Menlo Security.
Once it’s in place, the dropper fetches the malicious payload and installs remote access trojans (RATs) that allow the attacker to use the infected machine for their illegitimate purposes.
- Protect your devices with these best antivirus software (opens in new tab)