A few years ago, we wrote about the MetaMorph attack. In this attack, the malicious HTML attachments use meta refresh to redirect the end-user from an HTML attachment hosted locally to a phishing page hosted on the public internet.
This attack builds upon the wave of HTML attachment attacks that we’ve recently observed targeting our customers, whether they be SMBs or enterprises. It adds another layer of sophistication to malicious HTML attachments with the <meta> tag, which obfuscates the URL to evade link analysis and redirects to a compromised domain on the public internet.
Now, we’ve witnessed a new attack making its way around the world, that takes this campaign to a new level.
In this Attack Brief, researchers at Avanan, a Check Point Software company, will discuss how hackers are hiding malicious content inside “blank images”, creating automatic redirects that bypass VirusTotal and other anti-malware checks.
Attack
In this attack, hackers are placing blank images within HTML attachments. When opening the attachment, the user is automatically redirected to a malicious URL.
- Vector: Email
- Type: Malware
- Techniques: Social Engineering, Blank Image, HTML Redirect
- Target: Any end-user
Email Example #1
This email campaign starts with what appears to be a document from DocuSign. This looks fairly legitimate and could get the user to act. It is sent directly to a user, and the user is asked to review and sign the document. The DocuSign link will go to the legitimate DocuSign page. Where things get messy is with the HTM attachment at the bottom. When clicking on this attachment, the hackers’ chain of events starts in earnest. Here, the link is clean but the attachment is not.
Email Example 2
This is the content of the HTML file. It contains an SVG image that’s encoded with Base64.
When decoded, here is what the image looks like:
At the core, this is an empty image with active content inside. In fact, there’s Javascript inside the image. This redirects automatically to the malicious URL.
Essentially, the hackers are hiding the malicious URL inside an empty image to bypass traditional scanning services.
Techniques
When we wrote about the MetaMorph attack, we explained the key behind it:
“It adds another layer of sophistication to malicious HTML attachments with the <meta> tag, which obfuscates the URL to evade link analysis.”
This does something similar. Instead, the bad content is inside the image. When the user clicks on the attachment, they are automatically redirected to the bad URL.
This is an innovative way to obfuscate the true intent of the message. It bypasses VirusTotal and doesn’t even get scanned by traditional Click-Time Protection. By layering obfuscation upon obfuscation, most security services are helpless against these attacks.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Be suspicious of any email that contains an HTML or .htm attachment.
- Admins should consider blocking HTML attachments and treating them just like executables (.exe, .cab).