HTML Smuggling attack: an increasingly common technique

November 15, 2021 · frtg · 2 min read

In recent months, multiple phishing email campaigns have been identified containing malicious HTML files (report). The attached files contain JavaScript code that exploits HTML5 functionality for automatic malware downloads.

The attack has been designated HTML Smuggling.

HTML Smuggling Attack Phases

The attack consists of a series of automated steps that enable automatic download of a JavaScript Blob following complete page load. Within the HTML code, a link is inserted (via code or through the <a> tag) to which the download property is associated, which allows a file to be saved to disk, preventing direct opening by the browser. Below is an example in HTML of a link with the download property.

<a href="/archivio/malevolo.zip" download="malware.zip">Click here</a>

Within the same file/site, JavaScript code is present whose task is to assemble the malicious file and download it automatically. The file is constructed via a Blob and associated with the link, all through the same code.

var anchorLink = document.createElement('a');
anchorLink.download = 'malicious_file.zip';
var blob = new Blob([malicious_data], {type: 'octet/stream'});
var url = window.URL.createObjectUrl(blob);
anchorLink.href = url;
anchorLink.download();

In malware campaigns, malicious content is typically downloaded in the form of a password-protected archive. This enables evasion of automated scanning systems that analyze the contents of downloaded archives. Our Cyber Threat Intelligence operations have tracked this technique across multiple threat actors leveraging HTML Smuggling to bypass perimeter defenses.

Opening the contents of the .zip file by the user initiates a series of commands (typically PowerShell or VisualBasic scripts) for download and execution of the malware (final stage).

Among these, the known malware TrickBot has been observed targeting multiple Italian organizations, demonstrating the operational effectiveness of HTML Smuggling as a delivery mechanism for banking trojans and loader payloads.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

HTML Smuggling Attack Phases

Cookie & Privacy