SecurityOnline: HTMLSmuggler: JS payload generator for IDS bypass and payload delivery via HTML smuggling https://securityonline.info/htmlsmuggler-js-payload-generator-for-ids-bypass-and-payload-delivery-via-html-smuggling/ #JSpayloadgenerator #WebExploitation #HtmlSmuggling

SecurityOnline: HTMLSmuggler: JS payload generator for IDS bypass and payload delivery via HTML smuggling https://securityonline.info/htmlsmuggler-js-payload-generator-for-ids-bypass-and-payload-delivery-via-html-smuggling/ #JSpayloadgenerator #WebExploitation #HtmlSmuggling

SecurityOnline: HTMLSmuggler: JS payload generator for IDS bypass and payload delivery via HTML smuggling https://securityonline.info/htmlsmuggler-js-payload-generator-for-ids-bypass-and-payload-delivery-via-html-smuggling/ #JSpayloadgenerator #WebExploitation #HtmlSmuggling

SecurityOnline: Html Smuggling: hide malware payloads in an encoded script https://securityonline.info/html-smuggling-hide-malware-payloads-in-an-encoded-script/ #SocialEngineering #HtmlSmuggling #Exploitation

SecurityOnline: Html Smuggling: hide malware payloads in an encoded script https://securityonline.info/html-smuggling-hide-malware-payloads-in-an-encoded-script/ #SocialEngineering #HtmlSmuggling #Exploitation

#HTMLSmuggling #javascript

https://github.com/eddiechu/File-Smuggling

Catch up on last week's infosec news with our latest newsletter: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-538

#RaspberryRobin continues to improve its evasion mechanisms, extracting more data from victims in the Financial sector.

#Dridex developers look to be dabbling in creating a Mac variant - but aren't quite there yet.

#HTMLSmuggling is being used increasingly over the past few months by heavy-hitting first stage malware such as Qakbot, IcedID and BumbleBee - make sure you understand how it works and how to spot it.

#infosec #CyberAttack #Hacked #cyber #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities

HTML smugglers turn to SVG images - HTML smuggling is a technique attackers use to hide an encoded malicious script within an... https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/ #htmlsmuggling #qakbot

Found more files today (Tuesday, 2022-12-13) for #HTMLsmuggling leading to #CobaltStrike.

Same IP address for Cobalt Strike C2 server.

Same persistence method

But this time it's HTML file --> .js --> HTTP traffic for .ps1 --> Cobalt Strike C2.

Instead of the .ps1 file in a disk image, it's hosted on a web server retrieved (in this case) by the .js file smuggled through the HTML attachment.

IOCs from today available at: http://bit.ly/3Wh7PC8

From Twitter: https://twitter.com/malware_traffic/status/1601427213030920192

2022-12-09 (Friday) - #HTMLsmuggling that led to #Qakbot (#Qbot) with a distribution/botnet tag of "azd"

Malware samples, #pcap, and IOCs available at: https://malware-traffic-analysis.net/2022/12/09/index.html

I assume the HTML file I found on VT was sent through email, even though I have no proof. But where else would it have come from?

Distribution chain: HTML file (possibly from email) --> password-protected zip archive --> extracted ISO image with .img file extension.

Maybe distributors for Qakbot have stopped using .vhd images like they've been doing since December 1st.

2022-12-01 (Thursday) - obama224 distribution #Qakbot (#Bot) #HTMLsmuggling

Infection chain:

email --> HTML attachment --> password-protected zip archive --> extracted .vhd image --> Windows shortcut in .vhd image runs hidden Qakbot DLL in the same .vhd image

Three things about this Qakbot campaign using .vhd files:

1) You need administrative privileges to mount a .vhd file. Normal users in an AD environment cannot mount these.

2) Even when I used a domain admin password, those .vhd images wouldn't mount in an AD environment.

3) The .vhd images mounted just fine on a stand-alone Win 10 host.

Does the threat actor behind this wave of Qakbot want to get into a high-value AD environment? If so, this method won't be very effective.

A victim would have to infect a stand-alone host, then someone would have to connect that to an AD environment.

Maybe someone's personal laptop? I don't know how this would reasonably work.

Researchers Warn of Active Malware Campaign Using HTML Smuggling - A recently uncovered, active campaign called "Duri" makes use of HTML smuggling to deliver malware... https://threatpost.com/active-malware-campaign-html-smuggling/158439/ #krishnansubramanian #javascriptblobs #malwarecampaign #cloudservices #htmlsmuggling #menlosecurity #websecurity #coronavirus #podcasts #pandemic #malware #covid #duri