Attack Alert: New HTML Smuggling Campaign ‘Duri’ Is Active

Threat actors behind the Duri attacks are leveraging HTML and JavaScript used in the web browsers to deliver malicious payload without being traced. Menlo Security published the details of the HTML smuggling technique used to compromise system security with existing malware. 

No surprise here, attackers are getting increasingly creative. Security researchers at Menlo Security have been keeping an eye on a campaign, which has been active since early July. Dubbed ‘Duri’ by Menlo Security, the attack implements HTML smuggling and data blobs to deliver malware payloads onto the victim’s system.

This new method of attack bypasses network securityOpens a new window safeguards like sandboxes, proxies, and firewalls by going through a series of carefully orchestrated steps. Menlo’s report stated, “Traditional network security solutions such as proxies, firewalls, and sandboxes rely on the transfer of objects over the wire. For example, a sandbox might extract file objects such as .exe, .zip, and other suspicious objects from the wire and then send them to the sandbox for detonation.”

The malicious file was detected after a user attempted to download a file from a website. Menlo’s security checks flagged it as suspicious and blocked the download. The suspicion was further validated when the file invoked JavaScript code to generate the payload on the victim system. The reportOpens a new window added, “With Duri, the entire payload is constructed on the client side (browser), so no objects are transferred over the wire for the sandbox to inspect.”

See Also: Jack Daniel’s Maker Brown-Forman Fights Off REvil Ransomware

What is HTML Smuggling? 

HTML smuggling is one of the ways of infecting endpoints with the same malware, that is enabled via cloud hosts. Previously, this malware was delivered directly through Dropbox, according to CiscoOpens a new window . So why change the tactic and not the malware? Menlo stated in the report, “We speculate that this change in tactic is being used to increase the success rate of compromised endpoints.”

Researchers added, “Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it.”

HTML5 and JavaScript is used in all major browsers available today, which makes them susceptible to such kinds of attacks in the absence of appropriate safeguards. When a user browses the web and clicks on a link, they are redirected multiple times before ending up on a landing page hosted on ‘duckdns.org’. Upon the arrival on the page, the JavaScript code then creates a binary large object or blob is created on the system, from within the script’s base64 encoded variable. It can also use data: URLsOpens a new window to initiate payload downloads.

See Also: Blackbaud Hack Sparks Identity Theft Fears

Menlo researchers inspecting the payload observed the following actions that are executed through JavaScript:

1. A file with a JPG extension, which is actually a ZIP file is downloaded from a remote location: hxxp://104[.]214[.]115[.]159/mod/input20[.]jpg
2. The downloaded file is placed in the Public Documents folder, and files extracted from the archive.
3. The two extracted files Avira.exe and rundll.exe are renamed randomly. Avira.exe file’s extension remains the same while the rundll.exe file is named with a .bmp extension.
4. A LNK (windows shortcut link) file appears in the %appdata% (roaming) folder, with its target as the renamed Avira.exe file.
5. Create an autorun key for the above LNK file to ensure it runs on every boot up.
6. Runs powershell.exe command:

cd;cd ‘C:UsersJohn SmithAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup’;Start-Sleep -s 60;Start-Process ‘YOUXQNWXME.lnk’

What’s interesting about Duri attacks is that they do not attempt to exploit any system weaknesses. They simply misuse credible, not to mention widely used languages, and communication and transfer protocols, which makes these attacks all the more threatening.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!