Data breaches, malware, ransomware, phishing and DDoS attacks are all on the rise. But now another type is quickly emerging. We are seeing an uptick of attackers using HTML Smuggling to get their malicious payloads to the endpoint. ISOMorph is one campaign that is taking advantage of this technique on the heels of Nobelium, the attackers behind SolarWinds, who used the same technique in their most recent spear-phishing campaign.
Menlo Labs has identified malicious actors using the popular Discord app to host malicious payloads. The Remote Access Trojan (RAT) used in this campaign (AsyncRAT) has many capabilities that are used to evade, log passwords and exfiltrate data. An enterprise that is infected with this RAT must assume that the goal of the attackers is the exfiltration of sensitive data.
- HTML Smuggling, a technique fast gaining notoriety is used to drop the first stage dropper --malware samples that initially land on a victim’s machine before fetching a main payload. HTML Smuggling was also used in the most recent spear-phishing campaign by the Nobelium group
- The attack is multi-staged and checks and disables various anti-virus (AV) programs running on the endpoint
- AsyncRAT/NJRAT is the Remote Access Trojan that gets installed on successfully compromised endpoints
- Threat actors are using the popular Discord app to host malicious payloads in this campaign. This is important to note because Discord, a group chatting platform, reportedly has over 150 million active users who use the app to communicate over text and voice.
- Check out the best antivirus solutions on the market today
So why is HTML Smuggling re-emerging?
In 2020 when the pandemic hit and many organizations and individuals shifted to remote and hybrid ways of working, the browser became where most of our work happens. HTML Smuggling delivers malware by effectively bypassing various network security solutions including sandboxes, legacy proxies and firewalls. Attackers are using HTML Smuggling to deliver the payload to the endpoint because the browser is one of the weakest links without network solutions blocking it.
We have seen attackers leverage HTML Smuggling using both email attachments and web drive-by downloads.
What gets downloaded to the endpoint is an ISO file. Why an ISO file? ISO files are disk images that contain all the files or folders required to install software on endpoints. Attackers are always trying to test web and email gateway devices to see what file formats are exempt from inspection and incorporate that into their tactics, techniques and procedures. ISO file formats are preferred by attackers because they do not require any third-party software to install.
We have identified many different malicious scripts that are being used. Below is a list of all of the malicious scripts that we observed embedded in the ISO file:
- Spectrum (statement).vbs
- court .vbs
Once the VB Script gets executed, it fetches additional PowerShells.
ISOMorph achieves persistence by first creating a windows directory called “Microsoft Arts\Start” under “C:\Program Data\”. It then sets the registry key value under the “User Shell Folders” and “Shell Folders” to point to the directory previously created. The PowerShell then downloads a file called “Dicord.lnk” under “C:\Program Data\Microsoft Arts\Start\” directory.
The threat actors behind this particular campaign execute the malicious code by proxy, by injecting it into MSBUILD.exe. MS Build is a trusted process, so by injecting into MS Build, application whitelisting solutions are easily circumvented. The bad actors use reflection to load a DLL (dynamic link library) in memory and inject the RAT payload into MSBuild.exe. Reflection enables developers to obtain information about loaded DLLs and the types defined within them, invoke methods, etc. AV solutions usually look at any DLLs that get loaded by monitoring the LoadLibrary api. By reflectively loading the DLLs and invoking certain methods, malware authors can bypass the AVs. This directly maps to the Technique T1127.001 in the MITRE ATT&CK framework.
- These are the best Windows 10 antivirus software right now
Command & Control
As seen from the previous step, a method (WpfControlLibary1.LOGO.hahaha) in the .NET RAT payload is called to start the AsyncRAT functionality. AsyncRAT encrypts its config using AES.
The Base64 strings are the encrypted config for the RAT. Upon decryption using the hardcoded AES key, we can see the CnC server host/port, version, and other settings for the RAT.
Threat Actor and campaign information
NJRAT/AsyncRAT is the Remote Access Trojan that gets dropped to the endpoint. While this RAT family has been used by many different attackers and threat actors over the years, it was predominantly used to compromise high-value targets in the Middle East. While these groups have used the RAT, it does not mean that these groups are behind this specific campaign.
Attackers are constantly testing out newer methods to get their payloads to the endpoint. We have noticed an increase in them using HTML Smuggling for their initial access. This technique is gaining popularity because attackers can get their payloads to the endpoint bypassing all network inspection and analysis tools. Also, since the payload is constructed on the browser directly, there is a gap in logging and visibility for SIEM (security information and event management) and EDR (endpoint detection & response) tools. We believe that knowing and understanding the initial access methods is critical to prevention, detection and response strategy and to plugging that hole.
- Keep your organization safe with the best business antivirus solutions right now
Vinay Pidathala, Director of Security Research, Menlo Labs, part of Menlo Security