Researchers have reported witnessing an increase in use of the malware distribution technique known as HTML smuggling, as cybercriminals take advantage of the wealth of remote-based employees who spend much of their time accessing cloud-based work applications and performing tasks via a web browser.

Instead of infecting victims by having a computer fetch malware from a compromised or abused web page, HTML smuggling allows malicious actors to dynamically construct malicious payloads directly on the browser using JavaScript, and then have it downloaded onto a targeted endpoint. The end user must then be tricked through social engineering into opening up that file.

This technique allows the malware to avoid network security solutions such as sandboxes, legacy proxies, and firewalls, according to Menlo Security, whose researchers this past June discovered a new HTML smuggling campaign called ISOMorph.

Moreover, “Any enterprise you look at has a bunch of appliances, endpoint EDRs, [anti-virus programs] and a bunch of network monitoring devices. So half the battle is to be able to get past all of these network devices and get the payload on to the endpoint,” said Vinay Pidathala, director of security research at Menlo Security, in an interview with SC Media.

For that reason, “we believe attackers are using HTML smuggling to deliver the payload to the endpoint because the browser is one of the weakest links, without network solutions to block the payload,” a Menlo Security blog post explains.

In the ISOMorph campaign, adversaries have leveraged HTML smuggling to construct a first-stage dropper malware – packaged as an ISO file – that later produces a secondary payload in the form of AsyncRAT, a remote access trojan that can log passwords and exfiltrate data.

But that’s just the latest in a string of incidents using this technique. Indeed, the Nobelium threat group behind the SolarWinds supply chain attack is also known to implement this tactic, as does the malicious actor behind Duri malware, which Menlo has also written about.

“I would say starting in 2020, or the later part of 2020, is when we've seen an increase in HTML smuggling,” said Pidathala.

Pidathala said users typically first receive this threat in the form of a phishing email containing a malicious HTML attachment that opens up in the browser, or a weaponized link that leads to a web page where the payload is constructed and downloaded.

From an attacker perspective, the browser is an ideal environment to stage an attack because of its rampant usage by remote employees, especially since the COVID-19 pandemic began.

“The browser is becoming super powerful… I have about 30 tabs open right now,” said Pidathala. “And so to be able to deliver an attack via the browser and use human cognitive biases against them in the form of social engineering makes for a very successful attack.”

And the fact that Nobelium has used the technique so effectively makes that Russian state-sanctioned group a role model for cybercriminals and even script kiddies to emulate.

“If they see that something like an Nobelium has used HTML smuggling, they're sure to build this technique into their arsenal of kits. And we have started seeing [these] kits,” said Pidathala.

Currently, the HTML smuggling technique is a “blind spot” for many cyber defenders, Pidathala continued, because many endpoint protection solutions lack browser instrumentation and visibility.

HTML smuggling “helps attackers to bypass quite a few prevention tools controlling entry to a targeted infrastructure, and as companies usually put the majority of efforts on prevention, the method is likely to be successful,” added Dirk Schrader, global vice president of security research at New Net Technologies (NNT), now part of Netwrix. Therefore, “controlling change on a device is the technical method needed to render this attack method unsuccessful.”

Additionally, Pidathala said it’s important that business understands “that there is an invasiveness associated with this tactic, and it's important for seasoned CISOs to… build a holistic detection and response model” – one that perhaps features remote browser isolation as a way to provide visibility into how the payload gets constructed.”

“We need more of those solutions, and we need more of those solutions to correlate data with the EDR [system] or some sort of protection that is on the endpoint,” he said. “Through partnership, I think that can be that gap can be closed.”