HTML Smuggling - An Old Technique with New TricksPosted on: 21 Apr 2023 | Author: Foresiet
Since the inception of the internet and the World Wide Web (WWW), HTML has been a fundamental part of digital communication, enabling document exchange services between various devices on the network. Developed by Tim Berners-Lee, the father of the WWW, in 1993, the markup language is still used to display documents on web browsers today. Despite undergoing significant version upgrades over the last three decades, with HTML5 being the latest version recommended by the World Wide Web Consortium (W3C), the language has specific characteristics that allow attackers to exploit loopholes and compromise systems. This article delves into one such exploit: HTML Smuggling, and malware that utilizes it.
Uploading malware onto the victim’s system is the ultimate goal of the attacker. There are many different methods the attacker can use to upload the malware, of which HTML Smuggling is one of them. This method isn’t new, as it has been known for a long while now. The reason this method isn’t very popular until now is because there are easier, more successful methods of malware transmission attacks such as through default macros on Windows. Microsoft however has been disabling default macros on web-based documents to prevent such attacks, resulting in a renewed focus on HTML Smuggling as an attack vector to carry out malware upload.
To create a URL to the blob function, createObjectURL() is called with the blob object as an argument. Once the URL is created, the click() function is used to simulate a click on the anchor object, which executes the anchor tag and immediately constructs the payload.txt file as soon as the webpage loads. Finally, revokeObjectURL() is used to destroy any references to the URL so that any evidence of what is happening is hidden.
The image below illustrates how the text file is downloaded automatically upon loading the webpage.
The code example above is a simple demonstration of how HTML Smuggling can be exploited by malware. Typically, malware payloads are more complex and often encrypted using algorithms such as Base64 to avoid detection by firewalls and antivirus software.
Here is a flowchart depicting the process of HTML Smuggling:
QakBot is a malware that employs HTML Smuggling as a means of dissemination and is one of the most prevalent and powerful malware types in existence today. This malware has been utilized in email phishing and social engineering attacks on unsuspecting victims to spread and steal data since last year. Due to Microsoft's crackdown on default macros, QakBots have shifted from exploiting macros to using HTML Smuggling to spread.
Since the fourth quarter of 2022, there have been repeated campaigns by foreign state and non-state actors to clone and impersonate well-known software companies and products such as Dropbox and Google Drive. The goal is to conceal their downloads and compromise victims' computer systems by stealing their data and monitoring their activities. Email has been the preferred method of propagation, as mass spam emails with dubious links and attractive styling have led victims to click on links promising material gains, discounts from the clone's websites, or fake bank emails regarding fee dues. Clicking on these links results in the download of zip files onto their systems and triggers the blob() function to automatically unload its contents.
The diagram below illustrates the propagation and compromise of QakBot on its victims:
Protecting against HTML Smuggling:
Traditional defence methods are insufficient to protect potential victims from these attacks. A well-structured, multi-layered, and resilient defence strategy with high heuristic and processing capabilities is necessary to detect and prevent these attacks on time. One way to thwart such attacks is to utilize malware detectors that contain well-trained machine learning models capable of detecting multiple types of malwares, including QakBots. Additionally, strengthening API endpoints, improving protection against phishing attacks, and employing cloud protection software are necessary to prevent the spread of malware and viruses.
This article has demonstrated that HTML Smuggling is an exploit that can occur even in systems equipped with the most advanced antivirus software. The recent increase in the exploitation of this vulnerability is alarming, and we can anticipate the creation and spread of more sophisticated and resilient malware that will challenge the efficacy of existing security frameworks. Foresiet would like to remind its readers and clients to remain vigilant and report any suspicious activity to the relevant authorities.
The following list provides information on the indicators of compromise associated with QakBot malware: