HTML Smuggling Detection

The most famous fictional smuggler that I could think of

Introduction

Our Itinerary

Background

  • It uses HTML Smuggling, where a malicious HTML file containing encoded JavaScript is executed by the victim’s browser, downloading the next stage of the payload.
  • It uses password protected zip files to block sandboxing analysis.
  • It uses a disk image format called an .iso file to evade the Mark-of-the-Web protection, as Red Canary explains very well.
  • LNK files disguised to lure users into executing to hidden .CMD and .DLL files.
  • And on and on with ever more deceptive tricks!

The Objective

Me, after seeing yet another QakBot variation

Initial Observation and Analysis of QakBot Malware

2022-12-09 (FRIDAY) - HTML SMUGGLING FOR QAKBOT (QBOT) DISTRIBUTION TAG: AZD

DISTRIBUTION:

- Unknown source, possibly email --> HTML file --> password-protected zip archive --> extracted ISO image with .img file extension
Seems legit
The shortcut LNK (SCAN_DT6281) and hidden folder (IncomingPay)
C:\Windows\System32\cmd.exe /c IncomingPay\Issues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
Notice the commands logged immediately after I took the bait!
I forgot to include in the screenshot, but the parent process for all these commands was wermgr.exe (what???)
Uhhhhh………………
  • The malware sample contained a malicious initial access vector (duh, the rogues gallery of the .html, .zip, .img, .lnk, .cmd, and .lc files).
  • The malware would download the zip file after opening the HTML page in a browser, and the zip file contained a mountable .img file.
  • The mounted drive contained a malicious shortcut that would result in the execution of additional commands.
  • An injected wermgr.exe process spawned an automated burst of recon activity and then connected to suspicious external IP addresses, presumably to send the attacker information about our system and network.
Rogues Gallery

Breaking Down the Attack into Detection Building Blocks

  1. Phishing email sent to victim containing an HTML attachment.
  2. Creation of an HTML file in suspicious locations.
  3. Opening of a stand-alone HTML file in a browser application.
  4. Download/creation of a zip file by the browser application.
  5. Opening/extraction of a password-protected zip file.
  6. Creation of a mountable disk drive file format (.iso, .img, etc).
  7. Mounting a drive.
  8. Process execution on an external drive (either from an executable on that drive, or system executable touching files on that drive).

The Good News

The Bad News

Brittle vs. Resilient

Determining the Building Blocks to Test

  1. Web Browser Creates (Downloads) Zip Archive File (represents opening the malicious HTML file in a browser).
  2. ISO, VHD, LNK or IMG File Extracted from Zip (extracting the malicious disk image file).
  3. Disk Image Mount (mounting the image — this one I pulled directly from Sigma).
  4. Suspicious User-Initiated Process Execution on External Drive (clicking the .lnk file which runs or references files on the external drive).

Sigma Correlations

action: correlation
type: temporal
rule:
- many_failed_logins
- successful_login
group-by:
- User
timespan: 1h
ordered: true
title: HTML Smuggling Activity - Chain Rule
id: 0952f2fa-e29b-4eb5-831c-ce21520c56e3
status: experimental
description: Detects HTML smuggling-style compromise (such as HTML > ZIP > ISO/IMG/VHD > CMD/BAT/VBS > DLL). Includes rules to detect zipfile dropped by browser, ISO/IMG/VHD/LNK file extraction, disk image mount, followed by user-initiated process creation on an external drive.
references:
- https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/#:~:text=HTML%20smuggling%20is%20a%20technique,directly%20on%20the%20victim's%20device.
- https://www.malwarebytes.com/blog/news/2021/11/evasive-maneuvers-html-smuggling-explained
- Original research and analysis performed off of QakBot intelligence gathered at https://github.com/pr0xylife/Qakbot, https://www.malware-traffic-analysis.net/, and https://github.com/executemalware/Malware-IOCs
author: Micah Babinski
date: 2022/12/27
tags:
- attack.s0650
- attack.s0483
- attack.initial_access
- attack.defense_evasion
- attack.execution
- attack.t1564
- attack.t1566.001
- attack.t1566
- attack.t1027
- attack.t1027.006
- attack.t1059
- attack.t1204
- attack.t1204.002
action: correlation
type: temporal
rule:
- 1_win_zipfile_drop.yml
- 2_win_susp_file_extraction.yml
- 3_win_security_iso_mount.yml
- 4_win_process_creation_ext_drive.yml
group-by:
- ComputerName
- User
timespan: 1h
ordered: true
falsepositives:
- Unknown
level: high

Testing the Correlation

My 10 lovely HTML smuggling samples all ready to test

Bonus Round!

Windows Script File (.wsf) Delivered During a Recent QakBot Attack

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Micah Babinski

Cybersecurity pro, featuring bagpiping and GIS chops. Lives with wife Quinn and son Malcolm. Loves mountains, Indian food, and mountains of Indian food.