Close

Request Demo

BUFFERZONE is available to Enterprise companies only. Please fill out the form below and we’ll contact you shortly


    Blog

    Back

    Security Made Simple -Prevent HTML Smuggling Attacks

    By BUFFERZONE Team, 7/09/2023

    Target: Consumers

    Tags: Zero-Trust, Isolation, Policy, Trust No File

    HTML smuggling [3] is a technique adversaries use to deliver malicious payloads to a target’s system by exploiting HTML5 features and JavaScript to bypass content filters and traditional security defenses. The notorious Microsoft Office Macro-based attacks may have overshadowed these attacks, but recent data shows a considerable rise in HTML smuggling usage.

    In recent years, HTML smuggling has seen a significant uptick, especially in highly targeted sectors like banking. Not only is this technique highly evasive, but it also uses the standard features of HTML5, which makes it challenging to detect and mitigate. Microsoft has noted a surge in such attacks, citing its widespread use in banking malware and targeted campaigns [1]. Recently, Nokoyawa Ransomware [2] exploited this technique to infect the endpoint with Ransomware. The gang replaced their infection strategy from a Microsoft Office macro-based Excel file to an HTML smuggling-based attack [3].

    When the user accessed the HTML file [1], they were greeted with a counterfeit Adobe interface, prompting a ZIP file download. The ZIP was password-protected, serving as a shield against automated security checks. Hidden within the ZIP was an ISO file, which in turn contained the core malware. The only file that was apparent to the user was a LNK disguised as a document.

    Clicking the LNK file triggered a sequence of operations, including the transfer of rundll32 and a rogue DLL from the ISO to the system, followed by the malware’s execution. This process facilitated a connection to IcedID’s command and control servers while the user was distracted with an authentic-looking financial document image. Finally, executing the nefarious DLL initiated a persistent presence on the host system by setting up a scheduled task.

     

    While Microsoft Office Macro attacks had been the go-to for many threat actors, the rise of HTML smuggling indicates a shift in the landscape. As attackers evolve and adapt to security measures, it is paramount for organizations and individuals alike to stay informed and prepared. Therefore, organizations should consider alternative security offerings such as zero-trust application isolation.

    Security made simple with BUFFERZON® Safe Workspace™

    BUFFERZONE Safe Workspace™ is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), and Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace™ virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution based on six patented technologies.

    By using the BUFFERZONE Email security Outlook plugin product, each link and attachment is open inside the secure, untrusted, isolated environment. The HTML attack would be downloaded but cannot execute the second stage. Third-party EDR or Anti-virus can scan the untrusted zone and detect the malicious activity that BUFFERZONE prevented.

    In conclusion, cybersecurity detection is extraordinarily complex, while adversaries can validate the attack on leading solutions. Therefore, detection (trust-based) will fail, and a zero-trust solution based on prevention can simplify and increase endpoint security.

    Try it now!

     

    References

    [1] Microsoft Threat Intelligence, HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks, https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/

    [2] THE DFIR REPORT, HTML Smuggling Leads to Domain Wide Ransomware, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

    [3] MITRE ATT&CK, HTML Smuggling, https://attack.mitre.org/techniques/T1027/006/