Microsoft has seen an increase in malware campaigns using contraband HTML to distribute banking malware and Remote Access Trojans (RATs).
While HTML smuggling is not a new technique, Microsoft is seeing it increasingly used by threat actors to evade detection, including the Nobelium hacking group behind the SolarWinds attacks.
How HTML Contraband Works
Microsoft researchers have seen this technique used in Mekotio campaigns that deliver banking Trojans and also in highly targeted NOBELIUM attacks.
HTML smuggling campaigns are also used to remove AsyncRAT or NJRAT remote access Trojans, or the TrickBot Trojan used to breach networks and deploy ransomware.
Attacks typically start with a phishing email with an HTML link in the body of the message or a malicious HTML file attached.
In some cases, the archives created are password protected for additional detection evasion against endpoint security checks. However, the password to open it is provided in the original HTML attachment, so the victim has to enter it manually.
Once the script is launched, a base64 encoded PowerShell command is executed that downloads and installs the TrickBot Trojan or other malware.
A 2020 report by Menlo Security Also mentions the Duri malware group as one of the players actively using HTML contraband for payload distribution, but the technique was first seen in the wild since at least 2018.
Microsoft initially warned of a sudden increase in this activity in July 2021, urging administrators to defend themselves against this.
How to Defend Against HTML Contraband
Microsoft suggests that administrators use behavioral rules to check for common characteristics of HTML contraband, including:
- An attachment is password protected
- HTML file contains suspicious script code
For endpoints, administrators should block or audit activities associated with HTML contraband, including:
- Block execution of potentially obfuscated scripts
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Ultimately, the best defense is to train users not to open files downloaded via links in emails and attachments. All files downloaded from an email should be treated with caution and checked thoroughly before being opened.
Unfortunately, Windows turns off the display of file extensions by default, so extensions are not seen in many cases. Therefore, users are always suggested to enable viewing file extensions to prevent malicious files from opening.