Hackers use HTML Smuggling Technique to Deliver Ransomware. Threat actors adopt invasive techniques of HTML smuggling to launch Nokoyawa ransomware. Nokoyawa ransomware is similar to known ransomware groups Nemty and Karma. HTML smuggling attacks use JavaScript and HTML to obfuscate HTML files. The payload is delivered via email, with a ZIP file attached. User opens HTML file, downloads ZIP file, and enters password. Malware payload is embedded in an ISO file disguised as an LNK file. Rundll32 and malicious DLL are copied and executed. Persistence is established through a scheduled task. Threat actor uses Cobalt Strike beacon to find domain administrators. RDP session is initiated to move laterally to a domain controller. SessionGopher used to log into additional hosts. Ransomware is launched using k.exe and p.bat files. #HTMLSmuggling #Ransomware

https://cybersecuritynews.com/html-smuggling-ransomware/