Obfuscated Files or Information: HTML Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.[1][2]

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.[1][3][2][4]

ID: T1027.006
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Static File Analysis, Web Content Filters
Contributors: Jonathan Boucher, @crash_wave, Bank of Canada; Krishnan Subramanian, @krish203; Stan Hegt, Outflank; Vinay Pidathala
Version: 1.1
Created: 20 May 2021
Last Modified: 14 July 2023

Procedure Examples

ID Name Description
G0016 APT29

APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.[5]

S0634 EnvyScout

EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.[6]

S0650 QakBot

QakBot has been delivered in ZIP files via HTML smuggling.[7][8]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for newly constructed files via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

References