Security Experts:

Ongoing Campaign Uses HTML Smuggling for Malware Delivery

An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.

Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

The employed technique, HTML smuggling, relies on HTML5/JavaScript for the download of files, and can be of two types: Data URLs are used for the download; or a JavaScript blob is created, and a specific MIME-type is used to download content.

“In this specific attack, we observed the JavaScript blob technique being used to smuggle malicious files via the browser to the user’s endpoint. Constructing content on the client browser like this evades network security solutions such as sandboxes and proxies,” Menlo Security explains.

As part of the attack, the victim visits a malicious site, which triggers the download through HTML smuggling. The entire payload is constructed in the victim’s browser, and no objects are transferred over the wire.

Before landing on the malicious page, which is hosted on duckdns[.]org, the victim is redirected several times. On the landing page, a JavaScript onload event is invoked, to initialize data for a blob object from which a ZIP file is dynamically constructed.

For the attack to be successful, however, the victim needs to open the ZIP file and execute the .msi file inside it. Once opened, the file fetches from a remote location another ZIP file that has a .jpg extension, and which contains the malicious payload, Menlo Security reveals.

One of the files extracted from the second ZIP archive is Avira.exe, which is signed by Avira. A similar attack abusing Avira’s executable for malware injection was detailed in April last year, targeting users in South America.

Indicators of compromise shared by Menlo Security suggest that Duri is aimed at the same audience. The employed malware, the Metamorfo banking Trojan, has been active since at least 2018 and is using various cloud hosting providers to store payloads. Recently, it was observed reaching targets in the USA, Chile, Spain, Mexico and other regions as well.

“Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it,” the security firm concludes.

Related: 'Tetrade' Brazilian Banking Trojans Go International

Related: Guildma Malware Expands Targets Beyond Brazil

Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

view counter