Home Cyber Crime HTML smuggling: Fresh attack technique increasingly being used to target banking sector

HTML smuggling: Fresh attack technique increasingly being used to target banking sector


Jessica Haworth

12 November 2021 at 15:08 UTC

Up to date: 17 November 2021 at 08:08 UTC

Evasive malware is being unfold by way of electronic mail in campaigns much like these of nation-state actors

HTML smuggling: Fresh attack technique is being used to increasingly target banking sector

A brand new assault approach referred to as ‘HTML smuggling’, which spreads malware by way of electronic mail, is more and more focusing on banking organizations, Microsoft has claimed.

The assault vector, which surfaced earlier this yr, is described by the tech big as “a extremely evasive malware supply approach” that leverages legit HTML5 and JavaScript options to obscure its true actions.

Microsoft stated that in latest months, it has witnessed the assault focusing on banks by way of electronic mail campaigns that deploy banking malware, distant entry Trojans (RATs), and different payloads.

Read more of the latest news about malware attacks

A blog post from the seller explains that it first recognized HTML smuggling strategies being deployed again in Could, when it was utilized by nation-state attackers APT29, aka Nobelium, throughout a spear-phishing marketing campaign.

“Extra lately, we have now additionally seen this system ship the banking Trojan Mekotio, in addition to AsyncRAT/NJRAT and Trickbot, malware that attackers make the most of to achieve management of affected units and ship ransomware payloads and different threats,” Microsoft detailed.

The assault

HTML smuggling assaults allow a malicious actor to “smuggle” an encoded script inside a specifically crafted HTML attachment or internet web page.

If the goal opens the HTML of their internet browser, the malicious script is decoded and the payload is deployed on their machine.

“Thus, as a substitute of getting a malicious executable go straight via a community, the attacker builds the malware domestically behind a firewall,” the weblog explains.

HTML smuggling assaults bypass commonplace perimeter safety controls, corresponding to internet proxies and electronic mail gateways, that usually solely test for suspicious attachments – EXE, ZIP, or DOCX information, for instance – or site visitors primarily based on signatures and patterns.

The malicious information are additionally created after the HTML file is loaded on the endpoint via the browser, which means that safety instruments might solely see what they deem to be legit HTML content material and JavaScript site visitors earlier than it’s too late.


Microsoft has been monitoring these assaults since at the very least Could, when it recognized the Nobelium marketing campaign.

Since then, it notes, it has seen a lot of makes an attempt corresponding to an assault in July and August, when Microsoft stated the “open-source intelligence (OSINT) neighborhood alerts” confirmed an uptick in HTML smuggling in campaigns that ship distant entry Trojans (RATs) corresponding to AsyncRAT/NJRAT.

In September, researchers additionally witnessed an electronic mail marketing campaign that leverages HTML smuggling to ship Trickbot, a notorious banking trojan that has focused worldwide organizations and establishments within the schooling, healthcare, and finance trade lately.

Microsoft has attributed this Trickbot marketing campaign to an “rising, financially motivated cybercriminal group” it has named ‘DEV-0193’.

BACKGROUND Trickbot arrest: Russian national extradited to US for alleged role in developing notorious banking trojan

DEV-0193 is believed to focus on organizations primarily within the well being and schooling industries, defined Microsoft.

The seller stated that the group “works intently with ransomware operators, corresponding to these behind the notorious Ryuk ransomware”.

“After compromising a company, this group acts as a elementary pivot level and enabler for follow-on ransomware assaults. Additionally they usually promote unauthorized entry to the stated operators.

“Thus, as soon as this group compromises an setting, it’s extremely probably {that a} ransomware assault will observe,” Microsoft claims.

The Microsoft weblog accommodates extra technical element on the DEV-0193 marketing campaign. 

RECOMMENDED Two men charged with deploying REvil ransomware attacks, targeting US government and businesses

Source link