CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

HTML File Attachments: Still A Threat

Introduction

This past month, Trustwave SpiderLabs observed that HTML (Hypertext Markup Language) file attachments had become a common occurrence in our spam traps, which is not unusual since malware is often delivered through phishing spam. For the past 30 days, SpiderLabs has found the combination of .HTML (11.39%) and .HTM (2.7%) files are our second most spammed file attachment, totaling 14.09%, followed by .EXE files at 12.84%. 

19109_picture1fg

Figure 1: HTML file attachment type percentages

These threat actors are phishers, the main purpose is to steal sensitive information (like login credentials and credit card information) either for identity theft, extortion, to get access to the victim's finances, to buy goods or services, etc.

According to Microsoft, cybercriminal group DEV-0238 and DEV-0253 have also been sending HTML attachments that use HTML smuggling to deliver keyloggers. Microsoft has also attributed HTML smuggling to cybercriminal group DEV-0193 with HTML smuggling to deliver Trickbot malware.

Phishing attacks using HTML attachments

The most common spammed HTML attachments seen are phishing pages. The HTML file itself is generally benign, meaning it does not have any malicious code that launches arbitrary code into the system. This attachment, however, should be treated with caution. It mimics the sign-in page for services like Microsoft, Google or online banking pages and the danger is when a user falls for the scam, enters their credentials into the form, and submits it.  

19097_picture2fg

Figure 2: Samples of phishing email with HTML attachments

19101_picture1fgd

Figure 3: HTML attachments that mimic Microsoft sign-in page. The phishing page may also have the target user’s email address hard-coded in the page.

SpiderLabs noticed that recent phishing HTML files contained the hard-coded email addresses of the target user – this makes it more convincing to the victim. In the source level, adversaries would employ various levels of code obfuscation. JavaScript codes are usually obfuscated with open-source tools like JavaScript Obfuscator. HTML files are not stand-alone though, as they pull additional jQuery library, CSS and JavaScript code from various remote web servers for handling form objects, and form actions.

Hard-coding the email addresses helps trick the victim into believing they had previously signed-on to the page, since they only need to enter their password. Overall, this tactic makes the email appear more legitimate.

Below is an HTML source from one of the phishing attacks. It shows the level of JavaScript obfuscation.

19098_picture3fg

Figure 4: Phishing HTML source code

In most instances, the HTML file is not fully autonomous. The JavaScript source injected as inline scripts are usually loaded from a remote server, from a mixture of legitimate CDN (content delivery network) hosts, or from the host operated by the actors. Usually, the JavaScript that handles the data exfiltration is hosted by the actor’s web server (or operated by them).  

19099_picture4fg

Figure 5: Inspecting the HTML source shows the JavaScript files it pulls from the remote web server.

19100_picture5fg

Figure 6: A JavaScript code loaded from the remote host (valdia.quatiappcn.pw) by the HTML attachment file. It handles additional HTML DOM form actions, jQuery objects, CSS styling as well as anti-debugging and URL form checking.

Malware Delivery using HTML smuggling

To evade email gateways, a technique called HTML smuggling is being utilized by adversaries to deliver malware binary to a target user. This method employs HTML 5 that could work offline by storing a binary in an immutable blob of data in the form of a JavaScript code. When opened through a web browser, the data blob gets decoded into a file object. A download notification bar is then displayed to the user. With a combination of social engineering, it lures the target user to save the binary to the disk to open it.

The screenshot below is an example of a spam campaign with an HTML file attachment.

19102_picture6fg

Figure 7: An example of a Qakbot spam campaign that uses HTML file attachment

When loaded into a browser, the HTML file invokes a JavaScript that seemingly looks like a file was downloaded from a remote web server. The zip file, however, is smuggled within the HTML source as a data blob, gets decoded by the JavaScript code and converted into a ZIP file.

19103_picture7fg

Figure 8: File smuggling

The HTML source would look something like the screenshot below:

19104_picture8fg

Figure 8.1: HTML source example

Shown below is the attack flow overview:

19096_picture9fg

Figure 9: Attack flow overview

Conclusion:

As you can see, obfuscation is the common denominator of this spammed HTML attachment. This just shows how difficult it is to detect this kind of threat in the email gateway layer. Although most of the time HTML files are benign when opened, the danger is subsequent to the user’s action. Coupled with social engineering, this is what makes this type of attack successful.

IOCs

URLs


hxxps://valdia[.]quatiappcn[.]pw

hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/435d220bee10a57b635805e70b50fd90nbr1657558944[.]css

hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/2a4e8eea72f5947287e793a9b9355d9fnbr1657558944[.]css

hxxps://unpkg[.]com/axios@0[.]16[.]1/dist/axios[.]min[.]js

hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/435d220bee10a57b635805e70b50fd90nbr1657558944[.]js

hxxps://unpkg[.]com/vue@2[.]6[.]11/dist/vue[.]min.js

hxxps://unpkg[.]com/vue-router@2[.]7[.]0/dist/vue-router[.]min[.]js

hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vuex/2[.]3[.]1/vuex[.]min[.]js

hxxps://ajax[.]googleapis[.]com/ajax/libs/jquery/3[.]2[.]1/jquery[.]min[.]js

hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vee-validate/2[.]0[.]0-rc[.]3/vee-validate[.]min[.]js

hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vue-i18n/7[.]0[.]3/vue-i18n[.]min[.]js

hxxps://unpkg[.]com/lodash@4[.]17[.]4/lodash[.]min[.]js

hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/mobile-detect/1[.]3[.]6/mobile-detect[.]min[.]js

hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/708d225d43415316016978101b90d070[.]js 

Hashes


Phishing HTML attachment
8ac0f6c2c31934801c4c6ae5606997b5c84a59290287059ec8ea68754921899a 
(SHA256)

ScannedDocuments_9720709.html.zip
e1c7c9ba81d2c8bd09b1cdc25ccb44e6763f8906486c5298c40efcb2133ad017 
(SHA256)

ScannedDocuments_9720709.html : Qakbot
Cecfabcc1b8f0467a0f646d0a75bd3a94e71c1a2ca41380b75f3a60e7827d2b9 
(SHA256)

ScannedDocuments_9720709.img : Qakbot
1cbc3422305b203bba574a0d59263e377c61a198f229430131570045c59a3521 
(SHA256)

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More