Threat actors utilize HTML Smuggling techniques in recent campaigns to deliver Qakbot XWorm Cobalt Strike and IcedID.
Initially a spear-phishing email is sent to the target with an HTML attachment once opened the HTML file may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well know vendors such as Adobe Google or Dropbox.
The victim is then coerced into executing the archive or saving and executing a malicious file in the form of an .ISO .IMG or VHD image file.
In either scenario the file contains an LNK file that executes commands to load a decoy file and uses the native binary rundll32 to load the malware payload.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.