![]() “The LNK file starts PowerShell to execute the PowerShell script masqueraded in a ‘.log’ extension rather than ‘.ps1’. “When the HTML is loaded, it drops an ISO file containing an LNK file that, when clicked, launches the payload execution sequence,” the company wrote. In December, Trustwave SpiderLabs uncovered a spam email HTML attachment dropping Cobalt Strike via Adobe PDF viewer-themed impersonation. Users should understand that HTML files attached to unexpected emails are just as great a risk as any other malicious attachment.”Ĭobalt Strike HTML smuggling campaign detected in December 2022 This is a very common technique among phishers. “If users will think that Google Drive or Acrobat is telling them that there’s an issue with a file they need to open, they could then trust that it’s Adobe or Google telling them to use the local copy. When brand impersonation is involved, things can be even more tricky, Sigler adds. HTML attachments happen quite a bit, especially when HTML formatting of an email gets stripped to plain text and then attached to the email itself.” “Users often know to avoid unexpected attachments in formats like Word DOCX or PDF, but unfortunately, HTML files are often considered safe. HTML smuggling attacks can be challenging to prevent and protect against, Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells CSO. The four malware strains that have recently been detected using HTML smuggling in their infection chain are Cobalt Strike, Qakbot, IcedID, and Xworm RAT, the firm added. It is not a new attack method, but it has grown in popularity since Microsoft started blocking macros in documents from the internet by default, Trustwave SpiderLabs wrote. HTML smuggling uses HTML5 attributes that can work offline by storing a binary in an immutable blob of data (or embedded payload) within JavaScript code, which is decoded into a file object when opened via a web browser. The firm has detailed four recent HTML smuggling campaigns attempting to lure users into saving and opening malicious payloads, impersonating well-known brands such as Adobe Acrobat, Google Drive, and the US Postal Service to increase the chances of users falling victim. ![]() Trustwave SpiderLabs researchers have cited an increased prevalence of HTML smuggling activity whereby cybercriminal groups abuse the versatility of HTML in combination with social engineering to distribute malware. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |