As we are aware that the ransomware landscape is constantly evolving and becoming a more threatening factor across many industries including Health care, Government, Military, IT or Non-IT, etc.
Ransomware is a type of malicious software (malware) designed to block access to a computer system, files, or data until a ransom is paid to the attacker.
Traditional ransomware is being distributed via Email attachment, malicious file downloads or by compromising the vulnerable infra.
But as per recent trends many adversaries started executing the ransomware via HTML Smuggling
What is HTML SMUGGLING
Attackers generally craft a malicious HTML attachment that carries an encoded malicious script. When the victim opens this malicious HTML file in their web browser, the browser decodes this embedded malicious script which on execution further assembles the payload on the victim machine.
The working of Ransomware execution via HTML Smuggling
Traditional HTML smuggling begins by sending an Email to the end user with HTML Attachment.
When the user opened the HTML file, a malicious Adobe page was presented and a ZIP file automatically started downloading.
The Crafted Adobe lure includes a password for the ZIP.
This technique is a way to protect the malicious contents from automated analysis.
Inside the ZIP was an ISO file. Inside the ISO was the malware payload. The only visible file to the user was a LNK file masquerading as a document
When the user clicked the file, a series of commands were then executed in the background. These included deploying and executing ransomware.
Use Case : Nokoyawa Ransomware
The Threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand, it generally uses HTML Smuggling for initial access and execution of the ransomware
Nokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022
Thank you for taking the time to read this blog post, and I hope that it has been helpful to you. I'd love to hear your thoughts, so please comment below and let me know your thoughts!
Ref:
https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Comments