Cybercriminals are delivering Duri malware through HTML smuggling attack


Researchers find evidence of Duri malware payload being delivered to victims through HTML Smuggling attack

Researchers have discovered a new malware attack campaign is using HTML smuggling and data blobs. Security researchers from Menlo Security found that cybercriminals are using an HTML Smuggling attack to deliver malware onto victim machines while evading network security solutions including sandboxes and legacy proxies. Menlo has named the malware Duri and it was first detected in early July of this year.

What is an HTML Smuggling attack?

Traditionally threat actors use files like .exe, zip, .SLK to send malware payload to the victims computer. Such files are usually flagged by anti-virus software products using proxies, firewalls, and sandboxes. Such files rarely make it to the victim’s computer due to the elaborate sandboxing process in both Windows and macOS.

However, HTML files are rarely checked by these anti-virus software. Menlo Security researchers discovered that the entire Duri malware payload is constructed on the client-side (browser). As such there are no files transferred to the victim’s computer there are no flags or sandboxing.

Duri malware creators leverage HTML5/JavaScript features to deliver file downloads. The threat actors deploy Duri payload download using Data URLs on the client device, or they can create a JavaScript blob with the correct MIME-type, which results in a download of the Duri malware on the victim’s computer.

Here is how the Duri malware can infect your computer. When a victim clicks a link, there are multiple redirections before that person lands on an HTML page hosted at duckdns[.]org. This prompts a JavaScript online, which then initializes data for a blob object from a base64 encoded variable. A .zip file is constructed from the blob object and downloaded onto the endpoint. The computer then prompts the victim to open and execute the .zip file. The .zip file contains an MSI file which the victim’s computer reads as a Microsoft Windows installer and allows the download to proceed. Once the download is completed, Duri is executed under the very nose of Microsoft Defender and other AV products.

“With Duri, the entire payload is constructed on the client-side (browser), so no objects are transferred over the wire for the sandbox to inspect,” researchers state in a report. In this case, they say, attackers were seen using the JavaScript blob technique to smuggle malicious files via the browser onto the target’s endpoint.

Menlo Security’s Krishnan Subramanian says that HTML smuggling is not a new technique. In fact, HTML Smuggling attacks were popular in the 2000s but over the years these attacks have piped down. Subramanian says the Duri malware campaign reveals that bad actors continue to rely on older attack methods for maximum infections.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments