HTML Smuggling is a technique used to drop the first-stage dropper—malware samples that's fast gaining notoriety, and recently employed in the spear-phishing campaign carried out by the Nobelium group.

According to Menlo Security, a malware campaign dubbed ISOMorph, been monitored by the team leverages HTML Smuggling to deliver malicious files to victims’ endpoints by evading security solutions like sandboxes and legacy proxies.

ISOMorph attack is multi-staged and capable of checking and disabling various anti-virus programs running on the endpoint.

How ISOMorph uses HTML Smuggling to deliver Malicious files?



ISOMorph attack uses HTML Smuggling to deliver payload to the endpoint as the browser is one of the weakest links, without security solutions to block the payload. HTML Smuggling delivers malicious files by effectively bypassing network security solutions, including legacy proxies, sandboxes, and firewalls.



Attackers use this technique to construct the malicious payload programmatically on HTML page using JavaScript, as opposed to HTTP request to fetch a resource on a web server. It is neither a bug or a design flaw in the browser technologies; developers use the technique most often to optimize file downloads.

The threat actors behind ISOMorph uses JavaScript code to construct the payload on the browser, by creating an element “a” and setting the HREF to the blob, programmatically clicking it will trigger the download to the endpoint.

However, the user must need to open it to execute the malicious code, once the payload is downloaded to the endpoint.

How to Mitigate against ISOMorph Attack?



HTML smuggling is gaining popularity as attackers can easily get their payloads to the endpoint while bypassing all network security, inspection and analysis tools.

As attackers are increasingly upgrading to get their payloads to the endpoint, using such techniques as HTML Smuggling for their initial access, knowing the initial access methods is critical to a strong response strategy.

ISOMorph Attack leverages HTML Smuggling to deliver malware

HTML Smuggling is a technique used to drop the first-stage dropper—malware samples that's fast gaining notoriety, and recently employed in the spear-phishing campaign carried out by the Nobelium group.

According to Menlo Security, a malware campaign dubbed ISOMorph, been monitored by the team leverages HTML Smuggling to deliver malicious files to victims’ endpoints by evading security solutions like sandboxes and legacy proxies.

ISOMorph attack is multi-staged and capable of checking and disabling various anti-virus programs running on the endpoint.

How ISOMorph uses HTML Smuggling to deliver Malicious files?



ISOMorph attack uses HTML Smuggling to deliver payload to the endpoint as the browser is one of the weakest links, without security solutions to block the payload. HTML Smuggling delivers malicious files by effectively bypassing network security solutions, including legacy proxies, sandboxes, and firewalls.



Attackers use this technique to construct the malicious payload programmatically on HTML page using JavaScript, as opposed to HTTP request to fetch a resource on a web server. It is neither a bug or a design flaw in the browser technologies; developers use the technique most often to optimize file downloads.

The threat actors behind ISOMorph uses JavaScript code to construct the payload on the browser, by creating an element “a” and setting the HREF to the blob, programmatically clicking it will trigger the download to the endpoint.

However, the user must need to open it to execute the malicious code, once the payload is downloaded to the endpoint.

How to Mitigate against ISOMorph Attack?



HTML smuggling is gaining popularity as attackers can easily get their payloads to the endpoint while bypassing all network security, inspection and analysis tools.

As attackers are increasingly upgrading to get their payloads to the endpoint, using such techniques as HTML Smuggling for their initial access, knowing the initial access methods is critical to a strong response strategy.

No comments