Microsoft has flagged a relatively new style of attack, dubbed “HTML smuggling”, which is being used in email campaigns that deploy banking malware and remote access Trojans (RATs), and as part of targeted hacking attacks.
It’s a nasty trick that bypasses standard network perimeter security, such as web proxies and email gateways, since the malware is built inside the network after an employee opens a web page or attachment with the malicious HTML script. So, a company’s network can be hit even if gateway devices check for suspicious EXE, ZIP, or Office documents.
“When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” Microsoft warns.
The style of attack is notable because it’s been used by Kremlin-backed hackers – tracked by Microsoft as Nobelium. Since then, it has been adopted by cybercriminals.
Microsoft has found that between July and August there was an uptick in HTML smuggling in campaigns that deliver RATs such as AsyncRAT/NJRAT.
“In September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft attributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as DEV-0193,” says Microsoft.