Highly Evasive Adaptive Threat Explained

A Highly Evasive Adaptive Threat (HEAT) is a cybersecurity attack type designed to bypass traditional network security defenses.^{[1] [2]} HEAT attacks are designed to find ways around protections that have been in place for years.^[3] HEAT attacks are able to bypass typical cybersecurity controls, such as secure web gateways (SWG) and anti-malware capabilities, through malicious links disguised as common URLs that victims assume are safe. HEAT attacks go beyond traditional phishing methods, which have historically been delivered by email, by inserting themselves into links that are not flagged by anti-phishing software.^[4] Similar to most cybersecurity threats, the drivers of HEAT attacks are primarily monetary and political. HEAT attacks focus on technical limitations of commonly deployed security tools with the primary target being web browsers.^[5] Nation-states and cybercriminals typically use HEAT attacks for phishing attempts or ransomware initial access.^[6]

Highly Adaptive Evasive Threats (HEAT) require adaptive threat analysis technology to detect threats missed by other approaches.^[7]

Definition

HEAT attacks demonstrate four primary characteristics^[8]

• Evades offline categorization and threat detection  - HEAT attacks bypass URL filtering by using ephemeral and/or compromised malicious sites with benign categorization.
• Evades malicious link analysis  - HEAT attacks bypass email security tools by expanding from email phishing links to other sources such as web, social media, SMS, and file sharing platforms.
• Evades static and dynamic content inspection  - HEAT attacks bypass file-based inspection by using dynamic file downloads (i.e. HTML smuggling).
• Evades HTTP traffic inspection  - HEAT attacks bypass HTTP content/page inspection by using dynamically generated and/or obfuscated content (JavaScript code and images).

History and notable HEAT attacks

Though some of the techniques used in HEAT attacks have been in the industry for several years, the increasing trends towards remote work, increasing use of Software as a Service (SaaS) and browser-based applications, and ransomware attacks have accelerated adoption of HEAT techniques by attackers.

• DURI  - the DURI HEAT attack was discovered in 2020. Duri's payload was malware that had been previously detected.^[9] However the delivery method evolved to use a HEAT attack technique, HTML smuggling, to increase its infection rate of targeted endpoints ^[10] :.
• Qakbot  - Qakbot is a banking trojan that has been in use since at least 2007. Qakbot is actively maintained and recent modifications include the use of HEAT attacks such as password protected zip files.^[11]
• Nobelium  - Nobelium malware is typically used in attacks focused on financial services and other highly targeted victims. The smuggling technique encoded a script within a web page or HTML attachment. The user's web browser decodes the script which subsequently creates the malware payload on the host computer.^[12]

Notes and References

1. Web site: Too hot to handle: Why modern work has given rise to HEAT attacks. Menlo. Security. February 2, 2022. Menlo Security.
2. Web site: 3 Challenges to Identifying Evasive Threats. Palo Alto Networks.
3. Web site: The Browser Renaissance: Reshaping the Enterprise Browser Landscape. 31 July 2023 . www.youtube.com.
4. Web site: HEAT attacks: A new spin on browser exploit techniques. March 30, 2023. BetaNews.
5. Web site: Browser-based HEAT attacks putting CISOs on the hot seat. Bradley. Barth. September 27, 2022. SC Media.
6. https://ten-inc.com/presentations/Menlo-Threat-Landscape-HEATs-Up-with-Highly-Evasive-Adaptive-Threats.pdf
7. Web site: Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware. info.opswat.com.
8. Web site: The four evasive techniques of Highly Evasive Adaptive Threats -.
9. Web site: Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors. Andrea Kaiser, Shyam Sundar. Ramaswami. April 1, 2020. Cisco Umbrella.
10. Web site: New HTML Smuggling Attack Alert: Duri. Krishnan. Subramanian. August 18, 2020. Menlo Security.
11. https://www.malware-traffic-analysis.net/2020/04/08/index.html/
12. Web site: HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks. Microsoft Threat. Intelligence. November 11, 2021. Microsoft Security Blog.