An old evasion technique called HTML smuggling attack is gaining traction among cyberattackers seeking ingenious ways to stealthily deliver malware.
The technique helps threat actors circumvent network security tools by abusing browser components such as the features in HTML5 and JavaScript code to deliver malicious payloads. The success of the attack techniques relies on the specially crafted emails sent to the victims rather than exploiting a vulnerability or design flaw in the browser.
A peek at the latest HTML Smuggling campaigns
Researchers from Menlo Security shared details about a new attack campaign called ISOMorph.
The HTML smuggling technique was used in the initial stage of the infection process to gain access to victims’ computers and unleash a malware dropper that results in the download of a variety of RATs, such as AsyncRAT or NJRAT.
Toward the end of July, the research team from Microsoft also spotted a week-long email spam campaign that leveraged the HTML smuggling attack to deliver malware to users’ devices. The final stage of the campaign delivered a trojan named Casbaneiro (Metamorfo) onto the victims’ machine.
A growing threat
Researchers claim that the re-emergence of HTML smuggling can be linked to the global increase in remote work owing to the pandemic lockdown.
This technique is gaining popularity because attackers can get their payloads to the endpoint while bypassing all network inspection and analysis tools.
Additionally, since the payload is built directly on the browser, it is nearly impossible for traditional security solution systems to detect.
The SolarWinds supply chain is one of the recent high-profile attacks that indicate the scope of the use of the attack method.
Bottom line
Attackers are constantly testing different methods to get their payloads to endpoints. Therefore, it is strongly recommended that enterprises know and understand the initial point of access to build a strong detection and prevention strategy. This also includes plugging the unpatched security holes.