HTML smuggling -- the latest way to to deliver malware

Since Microsoft began the default blocking of macros in documents sent over the internet there's been an increase in the use of HTML files to deliver malware.

Research by Trustwave Spiderlabs reveals a rise in so called 'HTML smuggling' using HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code. The embedded payload then gets decoded into a file object when opened via a web browser.

This allows threat actors to take advantage of the versatility of HTML in combination with social engineering to lure the user into saving and opening the malicious payload. The latest campaigns have been impersonating well-known brands like Adobe Acrobat, Google Drive and Dropbox to increase the chances of users opening the archives.

Malware strains delivered include the Qakbot Trojan and Cobalt Strike -- a pen testing tool that's often abused by threat actors to probe networks for vulnerabilities.

Security researchers Bernard Bautista and Diana Lopera write on the Spiderlabs blog:

We expect to see more sophisticated malware delivered through HTML smuggling with more compelling lures impersonating well-known products and social engineering tricks, complex obfuscation on the HTML level evading signature-based detection, and diverse attack sequences that may require more user interaction but may still be effective to gain initial access.

We always remind everyone to stay vigilant in this ever-changing digital landscape.

You can read more to the Spiderlabs blog.

Image credit: Rawpixel/depositphotos.com