ISOMorph and HTML Smuggling

Written by

Cybersecurity today is often a battle between detection and evasion. Yet, unfortunately, it is a fight that continues to sway in favor of the threat actors as they continue to innovate their techniques and find new, sophisticated ways to bypass commonly used security tools.

For security professionals, much of the challenge lies in this complexity. It is not a case of working to address changes in one or two areas, but across the board, as various avenues spanning malware, ransomware, phishing, DDoS attacks and beyond continue to branch out at an alarming rate.

As attackers strive to stay ahead of detection, we’re seeing the re-emergence of HTML smuggling. In fact, HTML smuggling was used in the most recent spear-phishing campaign by Nobelium, the group responsible for the SolarWinds and USAID attacks. This attack was comprised of an AsyncRAT spear-phishing campaign using ISO files as the key component. Another example of HTML smuggling is ISOMorph, identified by Menlo Security.

An ISO file (or ISO image) is an archive file that contains an identical copy of the data needed to install software on endpoints that do not typically require any third-party software to install.

Many file formats are exempt from inspection across both web and email gateway devices, with ISO files being one such example. Therefore, malicious scripts can be incorporated into the ISO files that go undetected before executing once on the endpoint.

At this point, you may be wondering how HTML smuggling works.

In simple terms, it is a technique used by attackers in bypassing perimeter security devices, achieving this by generating malicious HTML within the browser on the target endpoint.

The construction of malicious payloads programmatically on an HTML page using JavaScript, as opposed to making an HTTP request to fetch a resource on a web server, is key. This is not a design flaw in browser technologies — rather, it is a technique often used by web developers to improve file downloads.

The challenge, however, is that firewalls and traditional network security solutions like sandboxes and legacy proxies that would usually detect malicious code are evaded.

In the case of ISOMorph, this was achieved thanks to injection into a whitelisted, trusted application — MSBuild.exe.

Threat actors were able to use reflection techniques to load a DLL file (a library that contains a set of code and data for carrying out a particular activity in Windows) and inject the RAT payload into MSBuild.exe. By proxy, the malicious code that had been injected was therefore also whitelisted.

Where antivirus software typically looks at any files with .dll extensions that get loaded by monitoring the LoadLibrary API, reflectively loading the DLL files and invoking certain methods allows malware authors to bypass detection.

Indeed, the emergence of ISOMorph and uptick in threat from HTML smuggling is to be expected given the current global environment. This, like many changes related to cybersecurity in the past 18 months, stems from the pandemic and resultant ‘new normal.’

As remote, hybrid and flexible working has become commonplace, companies have had to adapt their ways of working to support such models. Where on-premise setups once dominated, cloud-based operations have risen to the fore, making the browser an even more crucial component of the day-to-day.

This has taken many forms, be it the rise of virtual meetings or the implementation of workflow management tools on a broad basis. Worryingly, however, the browser remains one of the weakest links in the cybersecurity chain.

This paints a bleak picture, but thankfully all is not lost in the fight against HTML smuggling.

While the endpoint remains highly vulnerable to such attacks among others, it can be protected comprehensively by isolation technologies.

Created with the sole aim of properly protecting users as they navigate the web via browsers, isolation technologies can create a virtual air gap between the internet and the endpoint, where all email and web traffic content is visible but never actually downloaded to the endpoint.

In this way, the risk of malicious code exploiting vulnerabilities is removed while the user experience is still maximized. In dealing with HTML smuggling, this is vitally important.

What’s hot on Infosecurity Magazine?