Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

HEAT attacks: Evading static and dynamic content inspection

Mark Guntrip | Feb 08, 2022

Illustration of laptop downloading a hidden bug from the cloud, labeled HEAT attacks

Share this article

When it comes to how people work and collaborate, the novel coronavirus pandemic ushered the most rapid pivot in history. Never before had so many shifted so quickly. And that shift created a dramatic pulling forward of demand for cloud services and accelerated the adoption of cloud applications and digital transformation efforts by a decade.

Consider this: A survey conducted by Forrester Consulting, commissioned by Google, found that staff spend 75 percent of their working time online, mainly within a web browser. Further, SaaS applications are in use within 99 percent of organizations. We don’t need statistics to prove this, of course, as we see it all around us in our daily lives — the web browser is essentially the new office space.

Cybercriminals have noticed this trend, too, and they’re evolving their attacks to take advantage accordingly. As this series on Highly Evasive Adaptive Threats (HEAT) highlights, criminals modify their attacks to infiltrate the browser in new ways and adopt new twists for established attacks to prevent detection. Not only has the trend to the cloud accelerated business technology by a decade, but this trend has also set many traditional security defenses behind by the same 10 years.

If enterprise security professionals don’t adapt and choose to protect their enterprise against these attacks, they’ll find themselves woefully under-defended. Cybercriminals are bringing the HEAT to web browsers, and these HEAT attacks are currently being used to deliver all forms of malware and to conduct enterprise attacks. And there’s no sign of a cooldown anytime soon.

Let’s take a look at one of the four core HEAT characteristics; specifically, how these attacks are able to evade both static and dynamic content inspection.

A look at HTML smuggling

HTML smuggling is one technique cybercriminals use to evade static and dynamic content inspection technologies and deliver malicious payloads to endpoints. In HTML smuggling attacks, the attackers create a JavaScript BLOB (binary large object) element and dynamically fill it with content. In the attacks witnessed by Menlo Labs, the content used to create the malware was encoded within the HTML page the user requested. Because the content is created dynamically from elements within the web page, a file request isn’t sent over the Internet.

That means there’s no reason for the malware to get inspected by a Secure Web Gateway or any network security appliance, like a sandbox.

Interestingly, this attack technique isn’t taking advantage of what is typically thought of as a software vulnerability or design flaw; instead, the method is exploiting the way modern browsers work and the techniques developers typically use to optimize download speeds and improve the user web experience.

These attacks aren’t merely hypothetical; they’re increasingly happening in the real world because people spend much more time working within their browsers.

Real-world examples of HTML smuggling

The Menlo Labs research team has identified several campaigns involving HTML smuggling. One such incident is the recent ISOMorph HTML smuggling campaign. This campaign, identified during the summer of 2021, leveraged HTML smuggling techniques we detailed above. Multiple sections of malware were independently downloaded to the browser and then assembled within the rendering of the web page on the endpoint. A BLOB element was used to create a malicious .iso file that was downloaded to the user’s endpoint the moment they accessed the web page, without any specific user action.

This ISOMorph attack followed other campaigns that used this technique, including attacks operated by threat actor NOBELIUM (the group thought to be behind the SolarWinds attack). Microsoft says it has observed this technique being used to deliver the banking Trojan Mekotio, the AsyncRAT/NJRAT, and TrickBot. This is malware that attackers use to command control of targeted endpoints and distribute ransomware and other threats.

With ISOMorph, the attackers targeted the popular communication platform Discord and its roughly 300 million registered users. Menlo Labs witnessed the malicious actors using Discord to host a Remote Access Trojan (RAT) known as AsyncRAT. AsyncRAT employs many ways to evade detection, log passwords, and exfiltrate data.

Why traditional security software fails to catch HTML Smugglers

Attackers are increasingly turning to HTML smuggling and other HEAT tactics because they’re successful at getting to the end user’s browser by bypassing common defenses, such as Secure Web Gateways and their anti-malware and sandboxing capabilities, as well as network and HTTP inspections, malicious link analysis, offline domain analysis, and threat intelligence feeds. Because HEAT-styled attacks are so successful, they’ve set enterprises back considerably in their security investments.

While these attack techniques aren’t new, threat actors are getting better at putting them to use and scaling the adoption of these attack tactics. After all, it’s been possible to successfully bypass Secure Web Gateways for some time, such as by sending files that are too big to be analyzed by their engines, by “protecting” files with passwords, or by encrypting them. With HTML smuggling, however, there is no file to analyze.

HTML smuggling is another example of why enterprise security teams need to shift their attention from just email, network, and other traditional attack vectors and pay much closer attention to what attackers are doing within the web browser. And security teams need to make sure that they have the appropriate levels of defenses in place.

We expect attackers to keep bringing the HEAT to the web browser for some time. After all, the move to the cloud and digital transformation isn’t going away, since they provide tremendous opportunities for modern businesses to succeed. Unfortunately, bad actors will increase their focus on ways to exploit these trends.

Download white paper: The threat landscape HEATs up with Highly Evasive Adaptive Threats

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.