Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Ongoing Campaign Uses HTML Smuggling for Malware Delivery

An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.

Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.

Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

The employed technique, HTML smuggling, relies on HTML5/JavaScript for the download of files, and can be of two types: Data URLs are used for the download; or a JavaScript blob is created, and a specific MIME-type is used to download content.

“In this specific attack, we observed the JavaScript blob technique being used to smuggle malicious files via the browser to the user’s endpoint. Constructing content on the client browser like this evades network security solutions such as sandboxes and proxies,” Menlo Security explains.

As part of the attack, the victim visits a malicious site, which triggers the download through HTML smuggling. The entire payload is constructed in the victim’s browser, and no objects are transferred over the wire.

Before landing on the malicious page, which is hosted on duckdns[.]org, the victim is redirected several times. On the landing page, a JavaScript onload event is invoked, to initialize data for a blob object from which a ZIP file is dynamically constructed.

Advertisement. Scroll to continue reading.

For the attack to be successful, however, the victim needs to open the ZIP file and execute the .msi file inside it. Once opened, the file fetches from a remote location another ZIP file that has a .jpg extension, and which contains the malicious payload, Menlo Security reveals.

One of the files extracted from the second ZIP archive is Avira.exe, which is signed by Avira. A similar attack abusing Avira’s executable for malware injection was detailed in April last year, targeting users in South America.

Indicators of compromise shared by Menlo Security suggest that Duri is aimed at the same audience. The employed malware, the Metamorfo banking Trojan, has been active since at least 2018 and is using various cloud hosting providers to store payloads. Recently, it was observed reaching targets in the USA, Chile, Spain, Mexico and other regions as well.

“Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it,” the security firm concludes.

Related: ‘Tetrade’ Brazilian Banking Trojans Go International

Related: Guildma Malware Expands Targets Beyond Brazil

Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.