Hackers Applying HTML Smuggling To Distribute Malware

Another latest spam E-mail operation, which abused a technique named “HTML smuggling” to circumvent E-mail security measures and transmit malware on users’ devices, was identified by Microsoft’s security team. This campaign has been going on for weeks. 

Microsoft Corporation is an international American technology firm that develops computer software, consumer devices, computers, and associated services. 

HTML smuggling is a method used to overcome security systems by malicious HTML generation behind the firewall – in the browser at the targeted endpoint. 

Sandboxes, proxies, and sandboxes leveraging HTML5 and JavaScript characteristics bypass the conventional network security methods such as E-mail scanners. This is by producing the destructive HTML code on the target device in the browser that is already located within the network security perimeter. 

Typically network security solutions work by analyzing the ‘wire’ or information flows from the network to search for identified malware signatures and trends within the byte stream. The destructive payloads are built on the target device in the browser through the use of HTML smuggling so that no items are passed to the network’s security systems for detection. 

The underlying concept behind an HTML email-based counterfeits is to include a link to an email document, which does not look harmful if it is scanned, or to a file type that email security programs, like EXE, DOC, MSI, and others, deem to be harmful. 

Furthermore, it does employ certain HTML elements, such as “href” and “download,” as well as JavaScript code, while accessing the URL for an assembled harmful file within the browser. 

This approach isn’t new and has been known since the mid-2010s, theoretically and malware programmers have used it from at least 2019 and have been detected throughout 2020. 

Microsoft stated in a series of tweets on Friday that it tracked an e-mail spam campaign that lasted weeks abusing HTML smuggling to put a destructive ZIP file on machines. 

Files in the ZIP file, unfortunately, infect the users with the banking trojan Casbaneiro (Metamorfo). Casbaneiro is indeed a traditional Latin American bank Trojan that focuses on Brazilian and Mexican banks and cryptocurrency services. It leverages the method of social engineering, which displays false pop-up windows. These pop-ups attempt to entice potential victims to provide critical information; this information is stolen if it succeeds. 

Although Microsoft has announced that Microsoft Defender for Office 365 might recognize HTML-contracted files, OS maker raises a warning on Friday for customers who are not their clients or those who are unaware of the technology or do not have email security devices that scan incoming emails.