An AZORult infostealer campaign has been observed in the wild in which the attackers create fake Google Docs pages on Google Sites to use HTML smuggling to download malicious malware payloads.
Netskope Threat Labs explained in a March 15 blog post that the AZORult infostealer payload then steals a user’s credentials and credit card information using a legitimate domain like Google Sites.
The researchers said the attackers lure their victims to fake Google Docs pages to trick them into believing the downloaded file was from Google Docs. In most of the cases the Netskope researchers observed in the wild, the attackers embed the smuggled malicious payload in the Javascript itself.
HTML smuggling operates as a defense evasion technique that looks to bypass web controls that block risky file types, said the researchers. It abuses legitimate HTML5 download attributes and Javascript blobs to construct malicious payloads on the client side, bypassing standard network security filters.
AZORult exemplifies the evolving nature of malware campaigns, with an unorthodox HTML smuggling technique that obscures the activity within legitimate Google sites, said Patrick Tiquet, vice president, security and architecture, at Keeper Security. This lets them bypass most traditional security measures, including firewalls, which are often not able to identify the content as malicious, said Tiquet.
“HTML smuggling is challenging to defend against, and emphasizes the need for a layered approach to security,” said Tiquet. “Organizations should ensure they have basic precautions, including an endpoint protection platform, web filtering, email protection, and employee training in place. If a cybercriminal breaches a network via HTML smuggling, a zero-trust and zero-knowledge cybersecurity architecture will limit the bad actor’s access.”
Lionel Litty, chief security architect at Menlo Security, said with HTML smuggling, an attacker uses JavaScript to sneak the bulk of their malicious payload past network devices that look for signatures. Only a small unencoded fragment of JavaScript is needed to bootstrap the process, said Litty, and this fragment can easily mutate to once again avoid signature detection. In this case, the fragment downloads the bulk of the payload via a separate fetch.
“While this is arguably less stealthy, it allows the encoded payload to not be delivered until a Captcha has been solved by the target,” explained Litty. “Given that they can execute powerful client-side code through JavaScript, attackers have a vast array of techniques at their disposal to smuggle the content, and trying to inventory them all is not a very constructive exercise. Defenders need solutions that detect malicious content not on the wire, but after the visited page's JavaScript has executed.”
Jason Soroko, senior vice president of product at Sectigo, added that to defend against HTML smuggling, a defensive tactic will require a system to reassemble the JavaScript or HLML encoded file to find the telltale patterns of the malware.
“However, there’s room here for innovation to look for patterns directly within the encoded files,” said Soroko. “If a browser can enable JavaScript or HTML5, maybe the browser has a responsibility to look for these malicious payloads in their encoded state.”
