Researchers Warn of Active Malware Campaign Using HTML Smuggling

mood · Aug 19, 2020

Researchers Warn of Active Malware Campaign Using HTML Smuggling
August 18, 2020
https://threatpost.com/active-malware-campaign-html-smuggling/158439/

An active campaign has been spotted that utilizes HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies and firewalls.
Krishnan Subramanian, security researcher with Menlo Security, told Threatpost that the campaign uncovered on Tuesday, dubbed “Duri,” has been ongoing since July.

It works like this: The attackers send victims a malicious link. Once they click on that link, a JavaScript blob technique is being used to smuggle malicious files via the browser to the user’s endpoint (i.e., HTML smuggling). Blobs, which mean “Binary Large Objects” and are responsible for holding data, are implemented by web browsers.
Click to expand...

Because HTML smuggling is not necessarily a novel technique — it’s been used by attackers for awhile, said Subramanian — this campaign shows that bad actors continue to rely on older attack methods that are working. Learn more about this latest attack and how enterprises can protect themselves from HTML-smuggling attacks, during this week’s Threatpost podcast.
Click to expand...

mood · Aug 19, 2020

Duri campaign smuggles malware via HTML and JavaScript
August 18, 2020
https://www.bleepingcomputer.com/ne...ign-smuggles-malware-via-html-and-javascript/

A new attack campaign uses a combination of HTML smuggling techniques and data blobs to evade detection and download malware.
Dubbed Duri, the campaign exploits the JavaScript blob method which generates the malicious file in the web browser, thus avoiding detection by sandboxes and proxies.
What is HTML smuggling?
HTML smuggling uses a combination of JavaScript, HTML5, and its technologies such as "data:" URLs to generate the payload on the fly and serve file downloads from within the browser, rather than a direct URL pointing to a server.

"With Duri, the entire payload is constructed on the client-side (browser), so no objects are transferred over the wire for the sandbox to inspect," states Menlo's report.
For those interested, Stan Hegt of Outflank, explains the technique perfectly.
Click to expand...

Dissecting the Duri's payload
As shown, a ZIP file is generated from nothing but the JavaScript code. At the end of its execution, the script prompts the download of this archive in the web browser.

Digging deeper, the researchers observed the JScript carried out the following actions: [...]
The researchers expect these evasive techniques to be incorporated in future iterations of attacks as well.

"Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it," says Menlo Security.
Click to expand...

Log in or Sign up

Researchers Warn of Active Malware Campaign Using HTML Smuggling

mood Updates Team

mood Updates Team

Log in or Sign up

Researchers Warn of Active Malware Campaign Using HTML Smuggling

mood Updates Team

mood Updates Team

Useful Searches