Hackers using HTML Smuggling Technique to Deliver Ransomware and Evade Detection

Threat actors adopt the highly invasive techniques of HTML smuggling to launch  Nokoyawa ransomware despite being delivered through macro and ICedID malware.

The Nokoyawa Ransomware variant has been active since February 2022 and shares the similarity of known ransomware groups Nemty and Karma.

The DFIR report states that two threat actors were involved in the campaign: the distributor and the hands-on keyboard actor.

Microsoft tracks them as Storm-030 and Storm-0390, a “pen test” team managed by Periwinkle Tempest.

HTML smuggling attacks commonly use default JavaScript and HTML functionality to obfuscate parts of the HTML file. 

HTML Smuggling

The threat actor delivers the payload via emails by attaching the malicious HTML file to the target.

Once the user opens the HTML file, the ZIP file will be downloaded on the user’s machine and ask for the password to open the file.

The malware payload was embedded inside the ISO file, and it is attached with a ZIP file. The only visible file to the user was an LNK file masquerading as a document.

When the user clicked the LNK file, a series of commands were then executed to copy rundll32 and a malicious DLL from  ISO to the host before executing the malware. 

Persistence was also established via a scheduled task on the beachhead host when the malicious DLL was executed. 

This task was set to run the IcedID malware every hour on the host. Initial discovery commands were run seconds after reaching out to the command and control server. 

 Using the Cobalt Strike beacon, the threat actor looked up specific domain administrators using the net utility.

Using one of those accounts, the threat actor initiated an RDP session to move laterally to a domain controller. 

Later, they use SessionGopher to log into additional hosts over RDP, including a backup server and a server with file shares. 

Finally, they execute  k.exe and p.bat.,ransomware binary and a batch script files to launch the ransomware.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.