HTML smuggling is a rising method used by criminals to deliver malware via HTML attachments and archives masquerading as legitimate brands. The Trustwave SpiderLabs piece catalogs campaigns by Qakbot, IcedID, Cobalt Strike, and Xworm that abuse HTML smuggling to gain initial access and describes their infection chains in detail.
#Qakbot #IcedID #CobaltStrike #Xworm #HTMLSmuggling
#Qakbot #IcedID #CobaltStrike #Xworm #HTMLSmuggling
Keypoints
- HTML smuggling uses HTML5 data blobs and JavaScript to store and drop a payload offline, evading some email defenses.
- Attackers impersonate well-known brands (Adobe Acrobat, Google Drive, Dropbox) to entice users to open archives.
- Multiple malware families—Qakbot, IcedID, Cobalt Strike, and Xworm RAT—have been observed using HTML smuggling in their infection chains.
- Qakbot campaigns often deliver via HTML attachments that extract encrypted ZIPs and drop a LNK + JS chain leading to a Qakbot DLL and process hollowing.
- IcedID campaigns employ thread-hijacked emails with HTML attachments that drop ISO disks, LNKs, and decoy content, then use VBScript/PowerShell to fetch payloads.
- Cobalt Strike deliveries rely on HTML attachments delivering ISOs with LNKs and PowerShell-based loaders, including persistence in the Startup folder and Defender evasion.
- X worm RAT campaigns retrieve encoded blobs via VBScript/PowerShell, download stagers, and ultimately load the Xworm DLL via Regasm, enabling remote monitoring capabilities.
MITRE Techniques
- [T1566.001] Phishing: Attachment – HTML attachments are used to deliver archives and payloads, with campaigns impersonating brands. “The latest campaigns impersonate well-known brands like Adobe Acrobat, Google Drive, and Dropbox to increase the chances of users opening the archives.”
- [T1059.007] JavaScript – The HTML smuggling template obfuscates commands in JavaScript arrays to conceal suspicious activity. “Looking at the HTML source code, the functions, and methods used to assemble the payload are obfuscated into arrays.”
- [T1027] Obfuscated/Compressed Files and Information – Payload assembly is obfuscated within HTML/JS to evade filters. “obfuscated into arrays.”
- [T1132.001] Data Encoding: Base64 – The payload is delivered as encoded blobs and decoded by the loader. “the first blob is retrieved … the PowerShell script decodes the base64 encoded blob into a DLL file.”
- [T1059.001] PowerShell – PowerShell is used to fetch and execute payloads, including stagers. “The initial PowerShell script sets the groundwork for the successful execution of the Cobalt Strike payload.”
- [T1218.011] Signed Binary Proxy Execution: Rundll32 – The main payload is loaded via Rundll32 before injection. “The main payload is loaded using rundll32 and then injected into explorer.exe through process hollowing.”
- [T1055.012] Process Injection: Process Hollowing – The DLL is injected into explorer.exe through process hollowing. “injected into explorer.exe through process hollowing.”
- [T1547.001] Boot or Logon Autostart Execution: Startup Folder – A persistence mechanism places a launcher in the Startup folder. “a form of persistence” and the broader description mentions Startup folder persistence in the PowerShell sequence.
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – Defender real-time monitoring is disabled during the run. “Then, it disables Microsoft Defender’s real-time monitoring…”
- [T1023] Shortcut Modification: LNK – The LNK shortcut is used to trigger the payload. “The ZIP archive dropped contains one file, a Windows Shortcut (LNK). Once the user opens the ZIP archive and launches the LNK file…”
- [T1059.005] VBScript – VBScript is used to fetch and chain payloads (stagers and main loader). “The VBScript code launches PowerShell commands to retrieve two encoded blobs.”
Indicators of Compromise
- [File] context – Document1611.html, Document1611.zip, and 2 more files (e.g., File577.lnk, enhrP.s_1L.QH0w.js)
- [Hash] context – b79ff504eb6ec509b8b6b870dc2f0113825d859b, b5da32a803b31d769d4d330e9c923d8c2dc5da1f, and 2 more hashes
- [Hash] context – d92b31ddf25e30e7cc34239bf45c7ec913b713c4, 78542b48745136d9e77896ec77c7613c4386ad81, and 1 more hash
- [Hash] context – 0d17a7f60f7f5a6d5e00ed23635dd4998a5df307
- [File] context – PE40.vhd (VHD containing Qakbot)
- [URL] context – hxxps://purepowerinc[.]net/nluGZ/082.html, hxxps://huhuwarcanoefestival[.]com/iSx1Ch/0509.html, and 0 more URLs
- [URL] context – 165[.]22[.]48[.]183/common?chunk=false (C2), and 1 more URL
- [IP] context – 165.22.48.183, 5.42.199.235
- [Domain] context – beautiful-elion.68-64-160-26.plesk.page