Latest News

Analysis of a new HTML Smuggling campaign

Written by Vinay Pidathala, Director of Security Research, Menlo Security

Data breaches, malware, ransomware, Phishing and DDoS attacks are all on the rise. But now another type is quickly emerging.

We are seeing an increase in attackers using HTML Smuggling to get their malicious payloads to the endpoint. ISOMorph is one campaign that is taking advantage of this technique on the heels of Nobelium, the attackers behind SolarWinds, who used the same technique in their most recent spear phishing campaign.

Menlo Labs has identified malicious actors using the popular Discord app to host malicious payloads. The Remote Access Trojan (RAT) used in this campaign (AsyncRAT) has many capabilities that are used to evade, log passwords and exfiltrate data.  An enterprise that is infected with this RAT must assume that the goal of the attackers is the exfiltration of sensitive data.

1. HTML Smuggling, a technique fast gaining notoriety is used to drop the first stage dropper –malware samples that initially land on a victim’s machine before fetching a main payload. HTML Smuggling was also used in the most recent spear phishing campaign by the Nobelium group

2. The attack is multi-staged and checks and disables various anti-virus (AV) programs running on the endpoint

3. AsyncRAT/NJRAT is the Remote Access Trojan that gets installed on successfully compromised endpoints

4. Threat actors are using the popular Discord app to host malicious payloads in this campaign. This is important to note because Discord, a group chatting platform, reportedly has over 150 million active users who use the app to communicate over text and voice.

Last year, when many organisations and individuals shifted to remote ways of working, the browser became where most of our work happens. HTML Smuggling delivers malware by effectively bypassing various network security solutions including sandboxes, legacy proxies and firewalls. Attackers are using HTML Smuggling to deliver the payload to the endpoint because the browser is one of the weakest links without network solutions blocking it.

We have seen attackers leverage HTML Smuggling using both email attachments and web drive-by downloads.

HTML Smuggling is where the attackers construct the malicious payload programmatically on the HTML page using JavaScript, as opposed to making an HTTP request to fetch a resource on a web server. This technique is neither a vulnerability nor a design flaw in browser technologies and web developers use this technique often to optimise file downloads.

The attackers behind ISOMorph use a JavaScript code to construct the payload directly on the browser.

In a nutshell, the JavaScript code is creating an element ‘a,’ setting the href to the blob and programmatically clicking it to trigger the download to the endpoint. Once the payload is downloaded to the endpoint, the user must then open it to execute the malicious code.

What gets downloaded to the endpoint is an ISO file. Why an ISO file? ISO files are disk images that contain all the files or folders required to install software on endpoints. Attackers are always trying to test web and email gateway devices to see what file formats are exempt from inspection and incorporate that into their tactics, techniques and procedures. ISO file formats are preferred by attackers because they do not require any third party software to install.

We have identified various different malicious scripts that are being used.

ISOMorph achieves persistence by first creating a windows directory called “Microsoft Arts\Start” under “C:\Program Data\”. It then sets the registry key value under the “User Shell Folders” and “Shell Folders” to point to the directory previously created. The PowerShell then downloads a file called “Dicord.lnk” under “C:\Program Data\Microsoft Arts\Start\” directory.

The threat actors behind this particular campaign execute the malicious code by proxy, by injecting it into MSBUILD.exe. MS Build is a trusted process, so by injecting into MS Build, application whitelisting solutions are easily circumvented. The bad actors use reflection to load a DLL in memory and inject the RAT payload into MSBuild.exe. Reflection enables developers to obtain information about loaded DLLs and the types defined within them, invoke methods, etc. AV solutions usually look at any DLLs that get loaded by monitoring the LoadLibrary api. By reflectively loading the DLLs and invoking certain methods, malware authors can bypass the AVs. This directly maps to the Technique T1127.001 in the MITRE ATT&CK framework.

Command & Control:

As seen from the previous step, a method (WpfControlLibary1.LOGO.hahaha) in the .NET RAT payload is called to start the AsyncRAT functionality. AsyncRAT encrypts its config using AES. The Base64 strings are the encrypted config for the RAT. Upon decryption using the hardcoded AES key, we can see the CnC server host/port, version, and other settings for the RAT.

Threat Actor and campaign information:

NJRAT/AsyncRAT is the Remote Access Trojan that gets dropped to the endpoint. While this RAT family has been used by many different attackers and threat actors over the years, it was predominantly used to compromise high value targets in the Middle East. While these groups have used the RAT, it does not mean that these groups are behind this specific campaign.

Attackers are constantly testing out newer methods to get their payloads to the endpoint. We have noticed an increase in them using HTML Smuggling for their initial access. This technique is gaining popularity because attackers can get their payloads to the endpoint bypassing all network inspection and analysis tools. Also, since the payload is constructed on the browser directly, there is a gap in logging and visibility for SIEM and EDR tools. We believe that knowing and understanding the initial access methods is critical to prevention, detection and response strategy and to plugging that hole.