Home » Promo » Cybersecurity » The HTML, CSS and Javascript Trojan Horse — Smuggling Malware through Web Resources

The HTML, CSS and Javascript Trojan Horse — Smuggling Malware through Web Resources

by Engineering @ SquareX on September 11, 2024

The HTML, CSS and Javascript Trojan Horse — Smuggling Malware through Web Resources

‘Last Mile Reassembly Attacks’ evade every Secure Web Gateway in the market and deliver known malware to the endpoint

At DEF CON 32, SquareX presented comprehensive research on the vulnerabilities of Secure Web Gateways (SWGs), which expose enterprises to myriad of client-side web attacks that they cannot protect against. Collectively, these attacks are called ‘Last Mile Reassembly Attacks’.

Exploiting Fundamental Webpage Components

Modern web applications rely heavily on HTML, CSS, and JavaScript to render content, execute code, and provide rich, interactive experiences for users. Attackers have discovered that these elements can be exploited to conceal malware in plain sight. Unlike traditional file-based attacks that SWGs are designed to catch, these client-side attacks embed malicious code within innocuous-looking web resources, slipping past network-level defenses unnoticed.

For example, an attacker might embed malicious content as a binary array within an HTML tag. To the SWG, this appears as regular HTML data, which is then allowed to pass through unimpeded. Once the content reaches the victim’s browser, a JavaScript function extracts the hidden payload from the HTML tag and assembles it into a fully functional malware file that executes on the client device.

The same techniques can be applied to CSS and JavaScript, both of which are essential components of nearly every web page. Attackers can embed malware within a CSS variable or a JavaScript array, making it nearly impossible for SWGs to identify the threat. In a CSS attack, for instance, the binary data of the malware is stored in a seemingly harmless CSS rule. When the web page is loaded in the browser, a simple JavaScript script reads the CSS rule, extracts the embedded malware, and assembles it for execution.

JavaScript arrays are similarly exploited. Attackers can encode malware as a series of byte arrays within JavaScript. Since SWGs don’t perform live dynamic analysis on JavaScript, the embedded code passes through without triggering any alarms. Once on the client side, the JavaScript reads the arrays, reassembles the binary data, and executes the malicious payload.

Assembling Malware on the Client Side: Where SWGs Are Blind

SWGs operate effectively at the network layer, scanning for known signatures, analyzing file types, and detecting malicious patterns as data moves across the network. However, these systems lack visibility into what happens once the data reaches the browser. Client-side assembly attacks are particularly dangerous because they rely on building the malware within the victim’s browser — where SWGs have no insight or control.

SWGs are unaware that a file download event has even taken place. This makes these attacks extremely difficult to detect and prevent. The malicious payload only takes shape once it is inside the browser, using legitimate web resources to assemble itself. From the SWG’s perspective, nothing appears amiss, as the individual components of the malware are scattered across HTML tags, CSS rules, or JavaScript arrays — none of which are inherently malicious in isolation.

A browser-native solution detects malicious file downloads at the last mile, before the file drops to the users disk. This is done upstream, before any endpoint security solution kicks in.

As attackers continue to find new ways to bypass traditional security measures, enterprises must adopt browser-native security solutions to protect against the next generation of client-side attacks.

Assess your Secure Web Gateway

Similar to smuggling malware through HTML, CSS, JS, there are more than 30 attacks that bypass all Secure Web Gateways. Check if your enterprise is vulnerable to them at https://browser.security/

The HTML, CSS and Javascript Trojan Horse — Smuggling Malware through Web Resources was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from SquareX Labs - Medium authored by Engineering @ SquareX. Read the original post at: https://labs.sqrx.com/the-html-css-and-javascript-trojan-horse-smuggling-malware-through-web-resources-da424ab7b838?source=rss----f5a55541436d---4

September 11, 2024September 11, 2024 Engineering @ SquareX Cybersecurity, enterprise security, Malware Analysis, Red Team, Secure Web Gateway

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Soniferous Aether’