Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label HTML smuggling. Show all posts
WinRAR
HTML HTML smuggling Malware. HP Microsoft MS Office WinRAR

Threat Actors Prefer Archive Files for Deploying Malware Infections


Hackers prefer archive files, not MS Office

Archive files like .zip and .rar formats are now popular ways of distributing malware infections. HP Wolf Security report findings conclude that MS office documents weren't the most popular file format used in malware attacks. The company's third-quarter report reveals that archive files showed a 42% attack share, whereas Office recorded a 40% share. 

The report also noticed a sharp rise in popularity for archives, as the formats have seen their usage increase up to 22% since the first quarter of the year. As per the HP Wolf Security team, hackers prefer archive files because they are difficult to detect. 

"Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware. Moreover, many organizations use encrypted archives for legitimate reasons, making it challenging to reject encrypted archive email attachments by policy," the report said. 

Rise in HTML Smuggling Attacks

Besides the increase in archive files, HP Wolf Security logged a rise in "HTML smuggling" attacks, which, likewise, can escape security measures by using common file types. 

In this case, the user is sent a malicious PDF file containing loads of HTML. When opened, the PDF redirects the user to a fake downloader page for a common reader like Adobe Acrobat. After this, the page attempts to offer an archive file containing the actual malware payload. 

Threat actors prefer Qakbot malware strain

The researchers found that one group in particular, "Qakbot", favors the HTML smuggling technique to get its malware into the end user machines. The group, which went on a rampage during the summer, has restarted its activities. 

Qakbot is a highly effective malware strain that has been used by hackers to steal data and deploy ransomware. Most of these rising campaigns depend on HTML, aiming to compromise systems, moving away from malicious Office documents as the standard delivery method for the malware strain. 

At last, the team discovered that a traditional approach to ransomware is making a comeback. Magniber, aka  "single client ransomware" operation, profits not by attacking big organizations and asking multi-million dollar ransoms but instead it seeks individual PCs, locking up the data and asking users for a $2,500 payout.

The method goes back to the early times of ransomware when individual systems were attacked en masse with hopes of achieving a greater number of successful infections and ransom payments. 

Alex Holland, a senior malware analyst at HP said:

"Every threat actor has a different set of capabilities and resources that factor into what tactics, techniques, and procedures they use. Targeting individuals with single-client ransomware like Magniber requires less expertise, so this style of attack may appeal to threat actors with fewer resources and know-how who are willing to accept lower ransoms from victims"


Read more »
Threat actors
Cyber Attacks HTML smuggling JavaScript Microsoft Phishing Campaign Threat actors

Microsoft Issued a Warning About a Rise in HTML Smuggling Phishing Attacks

 

Malware campaigns that use HTML smuggling to transmit banking malware and remote access trojans (RAT) have increased, according to Microsoft. While HTML smuggling is not a new tactic, it is increasingly being employed by threat actors to avoid detection, such as the Nobelium hacking organization behind the SolarWinds attacks. 

HTML smuggling is a nasty method that gets through traditional network perimeter security measures like web proxies and email gateways because the malware is created within the network after an employee opens a web page or attachment that contains a malicious HTML script. As a result, even if gateway devices check for suspicious EXE, ZIP, or Office documents, a company's network can be compromised. 

"When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall," Microsoft warns. 

HTML smuggling is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. A phishing HTML attachment, for example, could include a harmless link to a well-known website, making it appear non-malicious. When a user clicks on the link, however, JavaScript decodes an encrypted or encoded string in the link and converts it into a harmful attachment that is downloaded instead. 

Because the malicious payload is encoded at first, security software does not recognize it as harmful. Furthermore, because JavaScript assembles the payload on the target machine, it gets around any firewalls and security measures that would normally stop the malicious file from getting past the perimeter. 

"Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages," Microsoft explains. "In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection." Between July and August, Microsoft discovered an increase in HTML smuggling in campaigns that transmit RATs like AsyncRAT/NJRAT.
Read more »
Microsoft
Casbaneiro HTML smuggling malware Microsoft

Hackers Applying HTML Smuggling To Distribute Malware

 

Another latest spam E-mail operation, which abused a technique named "HTML smuggling" to circumvent E-mail security measures and transmit malware on users' devices, was identified by Microsoft's security team. This campaign has been going on for weeks. 

Microsoft Corporation is an international American technology firm that develops computer software, consumer devices, computers, and associated services. 

HTML smuggling is a method used to overcome security systems by malicious HTML generation behind the firewall - in the browser at the targeted endpoint. 

Sandboxes, proxies, and sandboxes leveraging HTML5 and JavaScript characteristics bypass the conventional network security methods such as E-mail scanners. This is by producing the destructive HTML code on the target device in the browser that is already located within the network security perimeter. 

Typically network security solutions work by analyzing the 'wire' or information flows from the network to search for identified malware signatures and trends within the byte stream. The destructive payloads are built on the target device in the browser through the use of HTML smuggling so that no items are passed to the network's security systems for detection. 

The underlying concept behind an HTML email-based counterfeits is to include a link to an email document, which does not look harmful if it is scanned, or to a file type that email security programs, like EXE, DOC, MSI, and others, deem to be harmful. 

Furthermore, it does employ certain HTML elements, such as "href" and "download," as well as JavaScript code, while accessing the URL for an assembled harmful file within the browser. 

This approach isn't new and has been known since the mid-2010s, theoretically and malware programmers have used it from at least 2019 and have been detected throughout 2020. 

Microsoft stated in a series of tweets on Friday that it tracked an e-mail spam campaign that lasted weeks abusing HTML smuggling to put a destructive ZIP file on machines. 

Files in the ZIP file, unfortunately, infect the users with the banking trojan Casbaneiro (Metamorfo). Casbaneiro is indeed a traditional Latin American bank Trojan that focuses on Brazilian and Mexican banks and cryptocurrency services. It leverages the method of social engineering, which displays false pop-up windows. These pop-ups attempt to entice potential victims to provide critical information; this information is stolen if it succeeds. 

Although Microsoft has announced that Microsoft Defender for Office 365 might recognize HTML-contracted files, OS maker raises a warning on Friday for customers who are not their clients or those who are unaware of the technology or do not have email security devices that scan incoming emails.
Read more »
Subscribe to: Posts (Atom)