Microsoft warns of surge in smuggling HTML phishing attacks

Microsoft has seen an increase in malware campaigns using contraband HTML to distribute banking malware and Remote Access Trojans (RATs).

While HTML smuggling is not a new technique, Microsoft is seeing it increasingly used by threat actors to evade detection, including the Nobelium hacking group behind the SolarWinds attacks.

How HTML Contraband Works

HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in strings encoded in an HTML attachment or web page. These strings are then decoded by a browser when a user opens the attachment or clicks a link.

For example, a phishing HTML attachment might include a harmless link to a known website, and therefore would not be considered malicious. However, when a user clicks on the link, JavaScript decodes an included encrypted or encoded string and converts it into a malicious attachment which is downloaded instead, as shown in the code below.

Because the malicious payload is initially encrypted, it appears harmless to security software and is not detected as malicious. Additionally, because JavaScript assembles the payload on the target system, it bypasses firewalls and security defenses that would typically intercept the malicious file at the perimeter.

Deployment case

Microsoft researchers have seen this technique used in Mekotio campaigns that deliver banking Trojans and also in highly targeted NOBELIUM attacks.

HTML smuggling campaigns are also used to remove AsyncRAT or NJRAT remote access Trojans, or the TrickBot Trojan used to breach networks and deploy ransomware.

Attacks typically start with a phishing email with an HTML link in the body of the message or a malicious HTML file attached.

If you click on either one, a ZIP file is deleted using HTML contraband. This archive contains a JavaScript file downloader that fetches additional files from a command and control (C2) server to install them on the victim’s device.

In some cases, the archives created are password protected for additional detection evasion against endpoint security checks. However, the password to open it is provided in the original HTML attachment, so the victim has to enter it manually.

Once the script is launched, a base64 encoded PowerShell command is executed that downloads and installs the TrickBot Trojan or other malware.

A 2020 report by Menlo Security Also mentions the Duri malware group as one of the players actively using HTML contraband for payload distribution, but the technique was first seen in the wild since at least 2018.

Microsoft initially warned of a sudden increase in this activity in July 2021, urging administrators to defend themselves against this.

How to Defend Against HTML Contraband

Microsoft suggests that administrators use behavioral rules to check for common characteristics of HTML contraband, including:

• An attached ZIP file contains JavaScript
• An attachment is password protected
• HTML file contains suspicious script code
• An HTML file decodes a Base64 code or obscures a JavaScript

For endpoints, administrators should block or audit activities associated with HTML contraband, including:

• Prevent JavaScript or VBScript from launching downloaded executable content
• Block execution of potentially obfuscated scripts
• Block executable files from running unless they meet a prevalence, age, or trusted list criteria

In addition to the above, users can prevent JavaScript code from running automatically by associating .js and .jse files with a text editor like Notepad.

Ultimately, the best defense is to train users not to open files downloaded via links in emails and attachments. All files downloaded from an email should be treated with caution and checked thoroughly before being opened.

Additionally, if an email attachment or link downloads an attachment that ends with a .js (JavaScript) extension, it should never be opened and automatically deleted.

Unfortunately, Windows turns off the display of file extensions by default, so extensions are not seen in many cases. Therefore, users are always suggested to enable viewing file extensions to prevent malicious files from opening.