Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

HTML smuggling: Fresh attack technique is being used to increasingly target banking sector

A new attack technique called ‘HTML smuggling’, which spreads malware via email, is increasingly targeting banking organizations, Microsoft has claimed.

The attack vector, which surfaced earlier this year, is described by the tech giant as “a highly evasive malware delivery technique” that leverages legitimate HTML5 and JavaScript features to obscure its true actions.

Microsoft said that in recent months, it has witnessed the attack targeting banks via email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads.

blog post from the vendor explains that it first identified HTML smuggling techniques being deployed back in May, when it was used by nation-state attackers APT29, aka Nobelium, during a spear-phishing campaign.

“More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats,” Microsoft detailed.

The attack

HTML smuggling attacks enable a malicious actor to “smuggle” an encoded script within a specially crafted HTML attachment or web page.

If the target opens the HTML in their web browser, the malicious script is decoded and the payload is deployed on their device.

“Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” the blog explains.

HTML smuggling attacks bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments – EXE, ZIP, or DOCX files, for example – or traffic based on signatures and patterns.

The malicious files are also created after the HTML file is loaded on the endpoint through the browser, meaning that security tools may only see what they deem to be legitimate HTML content and JavaScript traffic before it’s too late.

Timeline

Microsoft has been tracking these attacks since at least May, when it identified the Nobelium campaign.

Since then, it notes, it has seen a number of attempts such as an attack in July and August, when Microsoft said the “open-source intelligence (OSINT) community signals” showed an uptick in HTML smuggling in campaigns that deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT.

In September, researchers also witnessed an email campaign that leverages HTML smuggling to deliver Trickbot, a notorious banking trojan that has targeted worldwide organizations and institutions in the education, healthcare, and finance industry in recent years.

Microsoft has attributed this Trickbot campaign to an “emerging, financially motivated cybercriminal group” it has named ‘DEV-0193’.

DEV-0193 is believed to target organizations primarily in the health and education industries, explained Microsoft.

Advertisement. Scroll to continue reading.

The vendor said that the group “works closely with ransomware operators, such as those behind the infamous Ryuk ransomware”.

“After compromising an organization, this group acts as a fundamental pivot point and enabler for follow-on ransomware attacks. They also often sell unauthorized access to the said operators.

“Thus, once this group compromises an environment, it is highly likely that a ransomware attack will follow,” Microsoft claims.

The Microsoft blog contains more technical detail on the DEV-0193 campaign. 

Source: https://portswigger.net/daily-swig/html-smuggling-fresh-attack-technique-is-being-used-to-increasingly-target-banking-sector

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO