Barracuda Networks Reports Shift in HTML Malware Tactics
Barracuda Networks has published a report detailing how cybercriminals are now embedding malware within an HTML file that historically was created to deliver a malicious payload via a link to an external site. That shift in approach makes it more difficult for some classes of security scanner to detect malware embedded in an email.
Barracuda Networks CTO Fleming Shi said this attack technique is now more widely used than those that rely on externally hosted JavaScript files. Those attacks typically ask users to enter their credentials to access information or download a file that may contain malware.
HTML is one of the attack vectors that cybercriminals typically use to make it appear that an email with embedded links to a web page is legitimate. Nearly half of all HTML files (46%) scanned last March by Barracuda Networks proved to be malicious.
Shi said as more cybercriminals embrace this new malware distribution technique, the nature of HTML attacks evolves. For example, On March 7, 2023, there were 672,145 malicious HTML artifacts detected in total, comprising 181,176 different items. This means that around a quarter (27%) of the detected files were unique and the rest were repeat or mass deployments of those files. However, on March 23, almost nine in 10 (85%) of the total 475,938 malicious HTML artifacts were unique―which means that almost every single attack was different.
HTML remains a favored attack vector because it enables cybercriminals to inject themselves into a process that is usually already trusted by an end user, said Shi. Historically, the goal has been to redirect traffic, but now these attacks are also being used to embed malware more directly, he noted.
Despite the discovery of more sophisticated attack vectors, the bulk of attacks being launched by cybercriminals are less complex variations of known techniques and tactics that continue to be effective. Most organizations would be well-advised to concentrate on thwarting these types of attacks before considering how to defend themselves against more complex attacks that aren’t as prevalent because of their complexity.
It’s not clear how many attacks have been launched using malware embedded within an HTML file, but most cybersecurity teams should assume that malware is already present in their environments. The task at hand, as always, is to find and neutralize that malware before it’s activated.
In the meantime, the best way to thwart malware remains reducing the amount of it that makes it into an IT environment. In addition to scanning tools, it’s important for organizations to teach end users to better recognize suspicious emails and report when they may have inadvertently clicked on one. Rather than punishing end users for making a mistake, organizations should encourage transparency. After all, a malicious payload in an email that never gets reported is going to be a lot harder to find than one that has been reported by the end user that clicked on it. Punishing end users for making an honest mistake will ultimately create a culture that benefits the cybercriminals that are looking to evade detection.
