SpiderLabs Blog

HTML Smuggling: The Hidden Threat in Your Inbox | Trustwave

Written by Bernard Bautista, Diana Lopera | Feb 9, 2023 6:00:00 AM

Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware.

HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code. The data blob, or the embedded payload, gets decoded into a file object when opened via a web browser. Threat actors take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload.

HTML smuggling is not new, but it has gained in popularity, especially after Microsoft started blocking macros in documents from the Internet by default. What did not change is the use of HTML smuggling to deliver the initial payload. The intermediate payload varies from ISO, IMG, and VHD image files.

The latest campaigns impersonate well-known brands like Adobe Acrobat, Google Drive, and Dropbox to increase the chances of users opening the archives.

In this blog, we will cover some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.

Qakbot

Qakbot, one of the notorious malware types actively distributed through spam, has been using HTML smuggling since June 2022. It shifted from macro documents to HTML as Microsoft pushed restrictions on using macros from the Internet.

Figure 1: Qakbot is delivered via HTML attachments as seen in our spam traps.

A Qakbot email campaign from September 2022 uses a plain template and does not impersonate well-known brands. Instead, the malware tricks the user into clicking the HTML attachment, which causes an encrypted ZIP archive to be saved to disk. The email and the HTML attachment contain the password to extract the ZIP content.

Figure 2: Spam email delivering Qakbot via an HTML attachment

Figure 3: HTML smuggling template

Looking at the HTML source code, the functions, and methods used to assemble the payload are obfuscated into arrays. This attempts to conceal suspicious commands and evade email gateway filters. This technique abuses the JavaScript function msSaveOrOpenBlob to dynamically generate and drop the malicious payload to disk.

Figure 4: Obfuscated JavaScript code used for payload smuggling

Figure 5: ZIP archive drop containing a Windows Shortcut LNK

The ZIP archive dropped contains one file, a Windows Shortcut (LNK). Once the user opens the ZIP archive and launches the LNK file, it invokes the Windows Command Processor which creates a download folder inside the %LOCAPPDATA% directory and downloads and executes a JavaScript using the built-in curl tool and WScript, respectively. The JavaScript file downloads the main payload, a Qakbot DLL. The payload is loaded using rundll32 and then injected into explorer.exe through process hollowing.

Figure 6: Infection chain of the Qakbot campaign

Figure 7: Qakbot campaign impersonating Google Drive

IcedID

Another infamous malware strain, IcedID also known as Bokbot, has been observed using HTML smuggling. There is some overlap in the method of delivery between IcedID and Qakbot, as the HTML templates we saw were nearly identical.

Figure 8: Thread-hijacked email delivering IcedID

Figure 9: HTML template spoofing a PDF viewer to lure targets to install IcedID

In this sample, IcedID was delivered through a thread-hijacked email with an HTML attachment. A thread-hijacked email contains malicious messages, links, or attachments that were inserted by threat actors into a legitimate email conversation. After loading in the browser, the HTML, impersonating a PDF document viewer, drops a password-protected ZIP archive with an embedded ISO disk image file. The HTML template contains the archive’s password. Inside the ISO file is an LNK file, a decoy PNG image, and the IcedID DLL. Clicking the LNK file starts the command line to load the decoy PNG image, while in the background, rundll32 loads the initial IcedID DLL with the PluginInit parameter.

Figure 10: Command line to load decoy PNG image

Figure 11: Infection chain of IcedID campaign

Since 2017, IcedID has implemented a range of delivery methods favoring email as its initial access vector. It started as a banking trojan targeting financial institutions but has since evolved into a dropper of additional malware payloads, like ransomware, and has become an initial access provider for other threat actors seeking to establish a foothold on a target system.

Cobalt Strike

More recently, in December we came across a spam email with an HTML attachment dropping Cobalt Strike. The HTML lure looks similar to the Qakbot and IcedID campaigns.

Figure 12: Infection chain of Cobalt Strike delivery through email with an HTML attachment

Figure 13: PDF viewer-themed HTML lure delivering Cobalt Strike

Figure 14: ISO package containing LNK shortcut, PowerShell scripts including Cobalt Strike, and a decoy document

When the HTML is loaded, it drops an ISO file containing an LNK file that, when clicked, launches the payload execution sequence. The LNK file starts PowerShell to execute the PowerShell script masqueraded in a ‘.log’ extension rather than ‘.ps1’. Modifying the extension attempts to evade defenses and tricks the user into thinking that it is a typical log file.

Figure 15: PowerShell script

The initial PowerShell script sets the groundwork for the successful execution of the Cobalt Strike payload. The script checks if the target system is part of a domain. Then, it disables Microsoft Defender’s real-time monitoring followed by the creation of an LNK shortcut file pointing to the Cobalt Strike payload in the Startup folder as a form of persistence. Otherwise, it loads the decoy PDF document and terminates the sequence.

To conceal the malicious activity the script loads the decoy PDF document before launching the main payload.

Figure 16: First stage PS1 script disabling antivirus, checking the system configuration, and setting up persistence

The initial and main PowerShell scripts simply obfuscate their variables and functions using random and lengthy names. For the sake of readability, we have modified the variable names making them shorter.

Figure 17: Cobalt Strike with base64-encoded shellcode

Before memory injection, the Cobalt Strike shellcode decodes from base64 then bitwise XOR with the key, 35. It connects to its C2 server at hxxp[://]165[.]22[.]48[.]183/common?chunk=false.

Xworm RAT

One of the interesting samples we uncovered in our spam traps is an Xworm RAT, which is a .NET-compiled malware capable of monitoring user activities including keystrokes and screen activities.

Figure 18: Email campaign delivering the Xworm RAT

The email purports to be from the U.S. Postal System with the subject line reading “Your shipment is out for delivery” and includes an HTML file attachment. When the recipient opens the HTML, it will be loaded in the browser and automatically drops an ISO disk image to the target system.

The ISO file contains a Visual Basic Script (VBS) file. The user must open the ISO file for it to be mounted and double-click the VBScript code for the infection chain to continue.

When executed, the VBScript code launches PowerShell commands to retrieve two encoded blobs. Below is the final PowerShell command launched:

Figure 19: Final PowerShell command launch

The first blob is retrieved from hxxp://5[.]42[.]199[.]235/dll/dll2.txt. Then, the PowerShell script decodes the base64 encoded blob into a DLL file. This first DLL has the following capabilities:

  • Creates a copy of the VBS file in the Startup folder
  • Sets the VBS persistence through a scheduled task
  • Downloads the stager DLL which will serve as the loader of the second blob or the main payload

The second blob is downloaded from hxxps://beautiful-elion[.]68-64-160-26[.]plesk[.]page/weslle.txt. Like the first blob, the base64 encoded file is converted into a DLL file. We found that this main payload turns out to be an Xworm RAT.  

The code shown below is from the first DLL, and highlighted is the method “PUlGKA” which is invoked through the VBScript command. It downloads and decodes the stager DLL from hxxp:// 5[.]42[.]199[.]235/pe/Pe.txt. From there, the stager manages the execution of Xworm DLL through the built-in Windows command Regasm.

Figure 20: PUlGKA method

Figure 21: Attack sequence of a campaign that starts from email then ends with Xworm RAT dropped.

Conclusion

The shift in malware delivery methods to using HTML is concerning, as it challenges email gateway scanners, endpoint protection, and security solutions, especially their ability to unpack, decode and detect such techniques. With HTML smuggling, the malware is concealed from the scanners as most AVs will see the HTML attachment only compared to using an ISO file attachment, which will immediately throw red flags. Combining HTML smuggling with archives and disk images as intermediate payload raises the chances of delivering malware and gaining initial access. Threat actors are crafty in their lures, mixing various social engineering techniques and exploring different attack chains to gain a foothold on the target’s system.

We expect to see more sophisticated malware delivered through HTML smuggling with more compelling lures impersonating well-known products and social engineering tricks, complex obfuscation on the HTML level evading signature-based detection, and diverse attack sequences that may require more user interaction but may still be effective to gain initial access.

We always remind everyone to stay vigilant in this ever-changing digital landscape. 

 

Indicators of Compromise

Qakbot

Document1611.html

b79ff504eb6ec509b8b6b870dc2f0113825d859b

Document1611.zip

b5da32a803b31d769d4d330e9c923d8c2dc5da1f

File577.lnk

d92b31ddf25e30e7cc34239bf45c7ec913b713c4

enhrP.s_1L.QH0w.js

0d17a7f60f7f5a6d5e00ed23635dd4998a5df307

_OIV.dll (Qakbot DLL)

78542b48745136d9e77896ec77c7613c4386ad81

jackboots. tmp (Qakbot DLL)

ed67cb8a6c44871ec6ffb6517d77b5e84f00b399

PE40.vhd (VHD containing Qakbot)

55781d120a91b71da2c51ed3657a73e819493f38

Download URL for JS

hxxps://purepowerinc[.]net/nluGZ/082.html

Download URL for DLL (Qakbot)

hxxps://huhuwarcanoefestival[.]com/iSx1Ch/0509.html

 

IcedID

alljumping,doc,09.30.22.html

07251deafd605437a25d51428aade79255036d49

3ebdb69f-1430-4414-ace5-a413e8bdb9cd.zip

df3f2f97383d4ae897b3197e8d07f474f651a053

scandocument-83848d84-c26a-4bc9-95f5-10f288709ff7.iso

cffb01d11245792b5498c051603a279b0ad1930d

scandocument-83848d84-c26a-4bc9-95f5-10f288709ff7.lnk

702631c91a8fe86b2e75f4a6b089d00b7762ff1b 

0e7132bf-c75b-4ff9-ab6a-0db25f7250a4.W6_ (IcedID DLL)

15f8a879534143a4169c6ecd1d56132d1908443d

d5216149-74d2-4662-a923-3ea963ef2a5a.png

b6b61511ea7a36015f8002922bc20ad1f42234ab

 

CobaltStrike

a5c7f1e3-e33c-4dd8-bd27-f40fba04cb5d.html

ce4611b2d2e326ff7b37acdc10636f0dcd9439ba

Bill-1208-1113add9551798.iso

63adbabf3dfde36e745f4c42979260a2e946848c

Bill-1208.lnk

0afe54c016f4770ad2a8690ef9a06b1f53804215

bbftullzytwpbp.log (PS1 stager)

23b950b209cb16b084cad87c006dc7691c60dc40

fwoebcdndjhrmrn.log (PS1 CobaltStrike)

4b9d2f4b80ef9578711c569524694905012a8080

vqulmjurow.pdf (Decoy PDF document)

fbc916f065157cc5a13f22453c19f7dfecc3c228

C2 server

hxxp[://]165[.]22[.]48[.]183/common?chunk=false

 

Xworm

ERYASZBM279.html

207b87124f8abe2226251eb84f033e8642418fb1

US-ERYASZBM279.iso

e318c01fcd1f711fd063e845ca2431012086658f

us1012401.vbs

35b9fd8856edd443a4e27727c54dd135e26220bd

dll2.txt (Initial DLL)

efd195d8ef795e123bb1c1faee77459a781c003e

weslle.txt (Xworm)

8cb57a7e1e929c48716974edf55df2e9456d1443

Pe.txt (Stager DLL)

7a7e76553dafc2c1b6a0d804aa540ab7a80fd77b

hxxp://5[.]42[.]199[.]235/dll/dll2.txt

 

hxxp:// 5[.]42[.]199[.]235/pe/Pe.txt

 

hxxps://beautiful-elion[.]68-64-160-26[.]plesk[.]page/weslle.txt