Researchers find evidence of Duri malware payload being delivered to victims through HTML Smuggling attack
Researchers have discovered a new malware attack campaign is using HTML smuggling and data blobs. Security researchers from Menlo Security found that cybercriminals are using an HTML Smuggling attack to deliver malware onto victim machines while evading network security solutions including sandboxes and legacy proxies. Menlo has named the malware Duri and it was first detected in early July of this year.
What is an HTML Smuggling attack?
Traditionally threat actors use files like .exe, zip, .SLK to send malware payload to the victims computer. Such files are usually flagged by anti-virus software products using proxies, firewalls, and sandboxes. Such files rarely make it to the victim’s computer due to the elaborate sandboxing process in both Windows and macOS.
However, HTML files are rarely checked by these anti-virus software. Menlo Security researchers discovered that the entire Duri malware payload is constructed on the client-side (browser). As such there are no files transferred to the victim’s computer there are no flags or sandboxing.
Menlo Security’s Krishnan Subramanian says that HTML smuggling is not a new technique. In fact, HTML Smuggling attacks were popular in the 2000s but over the years these attacks have piped down. Subramanian says the Duri malware campaign reveals that bad actors continue to rely on older attack methods for maximum infections.