This past month, Trustwave SpiderLabs observed that HTML (Hypertext Markup Language) file attachments had become a common occurrence in our spam traps, which is not unusual since malware is often delivered through phishing spam. For the past 30 days, SpiderLabs has found the combination of .HTML (11.39%) and .HTM (2.7%) files are our second most spammed file attachment, totalling 14.09%, followed by .EXE files at 12.84%.
Figure 1: HTML file attachment type percentages
These threat actors are phishers, the main purpose is to steal sensitive information (like login credentials and credit card information) either for identity theft, extortion, to get access to the victim's finances, to buy goods or services, etc.
According to Microsoft, cybercriminal group DEV-0238 and DEV-0253 have also been sending HTML attachments that use HTML smuggling to deliver keyloggers. Microsoft has also attributed HTML smuggling to cybercriminal group DEV-0193 with HTML smuggling to deliver Trickbot malware.
Phishing attacks using HTML attachments
The most common spammed HTML attachments seen are phishing pages. The HTML file itself is generally benign, meaning it does not have any malicious code that launches arbitrary code into the system. This attachment, however, should be treated with caution. It mimics the sign-in page for services like Microsoft, Google or online banking pages and the danger is when a user falls for the scam, enters their credentials into the form, and submits it.
Figure 2: Samples of phishing email with HTML attachments
Figure 3: HTML attachments that mimic Microsoft sign-in page. The phishing page may also have the target user’s email address hard-coded in the page.
Hard-coding the email addresses helps trick the victim into believing they had previously signed-on to the page, since they only need to enter their password. Overall, this tactic makes the email appear more legitimate.
Figure 4: Phishing HTML source code
Malware Delivery using HTML smuggling
The screenshot below is an example of a spam campaign with an HTML file attachment.
Figure 7: An example of a Qakbot spam campaign that uses HTML file attachment
Figure 8: File smuggling
The HTML source would look something like the screenshot below:
Figure 8.1: HTML source example
Shown below is the attack flow overview:
Figure 9: Attack flow overview
As you can see, obfuscation is the common denominator of this spammed HTML attachment. This just shows how difficult it is to detect this kind of threat in the email gateway layer. Although most of the time HTML files are benign when opened, the danger is subsequent to the user’s action. Coupled with social engineering, this is what makes this type of attack successful.
hxxps://valdia[.]quatiappcn[.]pw hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/435d220bee10a57b635805e70b50fd90nbr1657558944[.]css hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/2a4e8eea72f5947287e793a9b9355d9fnbr1657558944[.]css hxxps://unpkg[.]com/axios@0[.]16[.]1/dist/axios[.]min[.]js hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/435d220bee10a57b635805e70b50fd90nbr1657558944[.]js hxxps://unpkg[.]com/vue@2[.]6[.]11/dist/vue[.]min.js hxxps://unpkg[.]com/vue-router@2[.]7[.]0/dist/vue-router[.]min[.]js hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vuex/2[.]3[.]1/vuex[.]min[.]js hxxps://ajax[.]googleapis[.]com/ajax/libs/jquery/3[.]2[.]1/jquery[.]min[.]js hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vee-validate/2[.]0[.]0-rc[.]3/vee-validate[.]min[.]js hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vue-i18n/7[.]0[.]3/vue-i18n[.]min[.]js hxxps://unpkg[.]com/lodash@4[.]17[.]4/lodash[.]min[.]js hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/mobile-detect/1[.]3[.]6/mobile-detect[.]min[.]js hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/708d225d43415316016978101b90d070[.]js
Phishing HTML attachment 8ac0f6c2c31934801c4c6ae5606997b5c84a59290287059ec8ea68754921899a (SHA256) ScannedDocuments_9720709.html.zip e1c7c9ba81d2c8bd09b1cdc25ccb44e6763f8906486c5298c40efcb2133ad017 (SHA256) ScannedDocuments_9720709.html : Qakbot Cecfabcc1b8f0467a0f646d0a75bd3a94e71c1a2ca41380b75f3a60e7827d2b9 (SHA256) ScannedDocuments_9720709.img : Qakbot 1cbc3422305b203bba574a0d59263e377c61a198f229430131570045c59a3521 (SHA256)