The highly evasive attack method is increasingly being used in targeted email campaigns to deliver various malware, according to the Microsoft. HTML smuggling allows an attacker to ‘smuggle’ an encoded malicious script into a specially designed HTML attachment or web browser, as the name implies.
One of the more prominent attack campaigns using the approach was observed in May, when the notorious Nobelium APT group launched a major spear-phishing campaign to spread the Cobalt Strike Beacon, according to Microsoft. Government agencies, consultants, and private firms from 24 nations were among the targets.
There has been an increase in the use of the attack method since then.
Adversaries employed HTML smuggling attacks to deploy AsyncRAT/NJRAT in July and August, and deployed TrickBot in September, most likely by DEV-0193, an emerging financially driven cybercrime gang.
So, what does this mean?
Traditional security measures are challenged by HTML smuggling. The rise in the usage of this technique in email campaigns, according to researchers, is an example of how attackers are constantly upgrading their evasive tactics.
The emergence and adoption of such evasion tactics also shed light on the current state of the underground economy, where TTPs become commoditized once they are proven to be effective.
Staying Secure
By deactivating JavaScript in the browser, such attacks can be prevented. However, because many modern websites use Javascript, this would have a significant impact on the browsing experience. Users should be careful of phishing emails in the first place and avoid clicking on malicious links. Plugging unpatched security gaps also helps organizations in preventing cyberattacks.