While hackers are always experimenting and innovating to catch up with the latest cybersecurity advances, they are also not afraid to stick with the tried and true. Why? Because it works.

Why spend a lot of time and money trying to outfox the good guys if a simple phishing email still gets you in? Same with other “tricks.” One oldie but goodie (if you are a hacker) has seen a resurgence this year: HTML smuggling.

“HTML smuggling has been around for a while, and it can be very effective in achieving some objectives from the hackers’ point of view,” says James Carlson, an independent cybersecurity consultant in Portland, Oregon.

Researchers have warned of a recently launched HTML smuggling campaign that is making the rounds. The campaign is called “Duri,” and it utilizes the tried and true hacker comfort food of HTML smuggling.

ThreatPost described it in a recent dispatch:

An active campaign has been spotted that utilizes HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies, and firewalls.

ThreatPost says Duri – which has been around since July – works by launching attacks that send victims malicious links.

“Once they click on that link, a JavaScript blob technique is being used to smuggle malicious files via the browser to the user’s endpoint (i.e., HTML smuggling). Blobs, which mean “Binary Large Objects” and are responsible for holding data, are implemented by web browsers.”

Duri is not completely new

Carlson says Duri is just a newer twist on an old trick, and that smuggling always uses a blend of HTML5 and JavaScript to “sneak” the capricious payload past content filters.

Similar smuggling programs have been around as far back as the early 2000s. They create an HTML file that contains an encrypted version of an HTA payload. Dangerous HTA payloads have historically been used in email phishing attacks as attachments.

Most protection programs have caught up over the years and don’t even allow HTA through, Carlson tells SmarterMSP.

However, hackers have found ways around such protections by creating an HTML file that delivers an encrypted version of an HTA payload. The content is served as a single HTTP request, which the proxy will happily allow.

At this point, the HTML is contentedly living in the user’s browser, and embedded JavaScript will unpack and decrypt the HTA content before calling msSaveBlob, which downloads the unpacked file directly from the user’s browser. Fun. As if MSPs don’t have enough to worry about remote work cybersecurity concerns, COVID-related phishing and the like, now the old trick of HTML smuggling is resurfacing.

Microsoft provides a strong refresher on HTAs and all of their implications and dangers.

Carlson recommends that utilizing HTA files for web-based attacks against Internet Explorer has proven reliable and successful because an HTA file when opened in IE, gets launched by mshta.exe, which is a signed Microsoft binary prompting PowerShell and injecting a payload into memory.

Explorer, though, does have some built-in warnings that users shouldn’t ignore. For instance, the browser prompts the user not once, but twice, when attempting to load an HTA file. Because these alerts that Explorer has do decrease the chances of a successful attack, Explorer offers a mixed bag of sorts. Other browsers seem more hit and miss in their attempts to filter out these kinds of attacks.

How can MSPs defend clients against HTML smuggling?

    • Block all HTA and MSHTA files. Carlson advises one tactic would be to not allow HTA files in your client’s system. That’s a catch-all system that might block some legitimate files, but it may be worthwhile for some businesses to go that route.
    • Disable javascript.“This would be almost foolproof in preventing HTML smuggling, but JavaScript is indispensable for many businesses,” Carlson says, so it may not be a practical solution.
    • Strong endpoint protection. HTML smuggling is a viable tool for hackers, and there are not many practical tools for the good guys to intercept a well-executed HTML smuggling attempt, warns Carlson. So if, figuratively speaking, a vaccine isn’t feasible, then treatment is the next best thing. And, in this case, treatment is reliable endpoint protection. MSPs should implement measures that deaden the impact of malicious content that finds its way to endpoints. You want to have perimeters and applications on the endpoints so that if the payload is released, it stays in place.

For his final piece of advice, Carlson offers, “Robust user education is the probably the most powerful weapon MSPs have at their disposal.”

Photo: BEST-BACKGROUNDS / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *