Investigating the ISOMorph infection- multi-staged HTML smuggling

The current cybersecurity trend is a constant battle between proactive detection and effective evasion. Unfortunately, the brawl consistently sways in the direction of the malicious actors as they constantly update their tactics and unearth new, innovative ways to bypass traditionally deployed security parameters. 

For those in the security field, the majority of the obstacle is due to the complexity. The situation is not related to developing solutions that combat issues in one or two segments, but to build solutions that can resolve issues across the field, including malware, phishing, DDoS attacks, ransomware and more. 

As malicious actors try to stay a step ahead of detection protocols, we are witnessing the rebirth of HTML smuggling. Technically, HTML smuggling was already used by the perpetrator of USAID and SolarWinds breaches- Nobelium. The attack involved an AsyncRAT spear-phishing campaign along with ISO files as the main component. ISOMorph is one other example of HTML smuggling that was detected by Menlo Security. 

An ISO image (or ISO file) is the archive file that has a duplicate copy of the data required to install software on endpoints that do not traditionally need any third-party software to install. Number of file formats are free from inspection across both email and web gateway devices, ISO files is one such files. The dangerous scripts can be blended into the ISO documents that go undiscovered before being executed on the endpoint. 

What IS HTML smuggling? 

In layman terms, it is the tactic used by hackers to bypass perimeter security protocols, achieved by producing malicious HTML inside the browser on the targeted endpoint.  

The key to this technique is, building of nefarious payloads programmatically on an HTML page via JavaScript in place of constructing an HTTP request to bring a resource on the web serve. The latter is not a design issue in browser tech- rather a method often deployed by web developers to boost file downloads. 

The real hurdle lies in the fact that conventional network security solutions like sandboxes, legacy proxies and firewalls that generally identify malicious code are bypassed. With ISOMorph, the evasion was achieved via injection trusted, whitelisted app- MSBuild.exe. 

The cyberattackers used the reflection tactic to load a DLL file and inject the RAT payload inside MSBuild.exe. As the malicious code gained entrance via injection, it was whitelisted. 

Generally, antivirus software typically considers any file with .dll extensions that gets loaded by monitoring the LoadLibrary API, but reflectively loading these DLL files and enforcing certain strategies allows malware authors to avoid detection. 

The birth of ISOMorph and sudden increase in danger from HTML smuggling was expected by the security leaders in the current global situation. It marked the significant change in the cybersecurity environment post the start of the pandemic. The danger also rose due to the increased shift to remote work, cloud-based operations. Web browsers remain the Achilles’ heel of even the prominent organization. 

Does it paint a bleak picture? Yes. Should we throw up our arms in the battle against HTML smuggling? Of course not!!! 

Endpoints are highly vulnerable, but they can be secured as a whole with help of isolation technologies. 

Developed with the sole goal of efficiently protecting users while navigating the Internet via web browsers, isolation tech can build a virtual air gap between the endpoint and the internet. It means all data(web content traffic, email, etc.) is never downloaded to the endpoint, but is visible. 

Thus, user experience gets boosted significantly while removing the risk of exploitation of vulnerabilities by malicious code. This is critical when handling HTML smuggling. 

Are you a B2B organization looking to streamline various tech operations for better productivity? We invite you to take a stroll through the various services offered by TSL Consulting Pvt. Ltd for enhancing business operations. 

Sr. Content Writer TSL Marketing