HTML smuggling has been used in targeted, spear-phishing email campaigns that deliver banking Trojans (such as Mekotio), remote access Trojans (RATs) like AsyncRAT/NJRAT, and Trickbot. These are malware that aid threat actors in gaining control of affected devices and delivering ransomware or other payloads.
MSTIC said the technique was used in a spear-phishing attack by the notorious NOBELIUM, the threat actor behind the noteworthy, nation-state cyberattack on SolarWinds.
How HTML smuggling works
What is HTML smuggling?
Usually, malware payloads go through the network when someone opens a malicious attachment or clicks a malicious link. In this case, the malware payload is created within the host. This means that it bypasses email filters, which usually look for malicious attachments.
HTML smuggling isn’t new, but MSTIC notes that many cybercriminals are embracing its use in their own attack campaigns. "Such adoption shows how tactics, techniques, and procedures (TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa ... It also reinforces the current state of the underground economy, where such TTPs get commoditized when deemed effective."
Staying secure against HTML smuggling attacks
A layered approach to security is needed to successfully defend against HTML smuggling. Microsoft suggests killing the attack chain before it even begins. Start off by checking for common characteristics of HTML smuggling campaigns by applying behavior rules that look for:
- an HTML file containing suspicious script
- an HTML file that obfuscates a JS
- an HTML file that decodes a Base64 JS script
- a ZIP file email attachment containing JS
- a password-protected attachment
Organizations should also configure their endpoint security products to block:
- Running potentially obfuscated scripts
- Executable files from running "unless they meet a prevalence, age, or trusted list criterion"