Menlo Security recognized as leading enterprise browser company in GigaOm’s ZTNA report.
Icon Rounded Closed - BRIX Templates

HEAT attacks: Evading file-based inspection


When it comes to how people work and collaborate, the novel coronavirus pandemic ushered the most rapid pivot in history. Never before had so many shifted so quickly. And that shift created a dramatic pulling forward of demand for cloud services and accelerated the adoption of cloud applications and digital transformation efforts by a decade.

Consider this: A survey conducted by Forrester Consulting, commissioned by Google, found that staff spend 75 percent of their working time online, mainly within a web browser. Further, SaaS applications are in use within 99 percent of organizations. We don’t need statistics to prove this, of course, as we see it all around us in our daily lives — the web browser is essentially the new office space.

In modern organizations, the web browser has evolved significantly and now serves as a vital tool for accessing crucial business applications, as well as facilitating collaboration and communication among employees. This substantial shift from the early web browser–which merely featured basic interfaces for Internet navigation–has not been accompanied by a corresponding evolution in network and endpoint security tools. Today, many organizations continue to rely on outdated security technologies, such as sandboxes, Secure Web Gateways (SWGs), and firewalls. These solutions were primarily intended to safeguard networks and endpoints, but they lack the ability to scrutinize activity within the modern web browser. As a result, they fail to provide adequate security solutions, leaving web browsers vulnerable to potential threats. Cybercriminals have taken note of where web security is weak, and they’re evolving their attacks to take advantage accordingly. Cybercriminals modify their attacks to infiltrate the browser in new ways and adopt new twists for established attacks to prevent detection. Not only has the trend to the cloud accelerated business technology by a decade, but this trend has also set many traditional security defenses behind by the same 10 years.

If enterprise security professionals don’t adapt and choose to protect their enterprise against these Highly Evasive Adaptive Threats (HEAT), they’ll find themselves woefully under-defended. These HEAT attacks are currently being used to deliver all forms of malware–including ransomware–and to conduct enterprise attacks. And there’s no sign of a slowdown anytime soon.

Let’s take a look at one of the four core HEAT characteristics; specifically, how these attacks are able to evade file-based inspection.

A look at HTML smuggling

HTML smuggling is one technique cybercriminals use to evade file-based inspection technologies and deliver malicious payloads to endpoints. In HTML smuggling attacks, the attackers create a JavaScript BLOB (binary large object) element and dynamically fill it with content. In the attacks witnessed by Menlo Labs, the content used to create the malware was encoded within the HTML page the user requested. Because the content is created dynamically from elements within the web page, a file request isn’t sent over the Internet.

That means there’s no reason for the malware to get inspected by a SWG or any network security appliance, like a sandbox.

Interestingly, this attack technique isn’t taking advantage of what is typically thought of as a software vulnerability or design flaw; instead, the method is exploiting the way modern browsers work and the techniques developers typically use to optimize download speeds and improve the user web experience.

These attacks aren’t merely hypothetical; they’re increasingly happening in the real world because people spend much more time working within their browsers.

Real-world examples of HTML smuggling

The Menlo Labs research team has identified several campaigns involving HTML smuggling. One such incident is the recent ISOMorph HTML smuggling campaign. This campaign, identified during the summer of 2021, leveraged HTML smuggling techniques we detailed above. Multiple sections of malware were independently downloaded to the browser and then assembled within the rendering of the web page on the endpoint. A BLOB element was used to create a malicious .iso file that was downloaded to the user’s endpoint the moment they accessed the web page, without any specific user action.

This ISOMorph attack followed other campaigns that used this technique, including attacks operated by threat actor NOBELIUM (the group thought to be behind the SolarWinds attack). Microsoft says it has observed this technique being used to deliver the banking Trojan Mekotio, the AsyncRAT/NJRAT, and TrickBot. This is malware that attackers use to command control of targeted endpoints and distribute ransomware and other threats.

With ISOMorph, the attackers targeted the popular communication platform Discord and its roughly 300 million registered users. Menlo Labs witnessed the malicious actors using Discord to host a Remote Access Trojan (RAT) known as AsyncRAT. AsyncRAT employs many ways to evade detection, log passwords, and exfiltrate data.

Why traditional security software fails to catch HTML smugglers

Attackers are increasingly turning to HTML smuggling and other HEAT tactics because they’re successful at getting to the end user’s browser by bypassing common defenses, such as SWGs and their anti-malware and sandboxing capabilities, as well as network and HTTP inspections, malicious link analysis, offline domain analysis, and threat intelligence feeds. Because HEAT attacks are so successful, they’ve set enterprises back considerably in their security investments.

While these attack techniques aren’t new, threat actors are getting better at putting them to use and scaling the adoption of these attack tactics. After all, it’s been possible to successfully bypass SWGs for some time, such as by sending files that are too big to be analyzed by their engines, by “protecting” files with passwords, or by encrypting them. With HTML smuggling, however, there is no file to analyze.

HTML smuggling is another example of why enterprise security teams need to shift their attention from just email, network, and other traditional attack vectors and pay much closer attention to what attackers are doing within the web browser. And security teams need to make sure that they have the appropriate levels of defenses in place. Security technology that provides enhanced visibility within the browser and offers real-time protection against suspicious behaviors is key in preventing these evasive web threats.

Blog Category

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail