An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.
Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.
The employed technique, HTML smuggling, relies on HTML5/JavaScript for the download of files, and can be of two types: Data URLs are used for the download; or a JavaScript blob is created, and a specific MIME-type is used to download content.
“In this specific attack, we observed the JavaScript blob technique being used to smuggle malicious files via the browser to the user’s endpoint. Constructing content on the client browser like this evades network security solutions such as sandboxes and proxies,” Menlo Security explains.
As part of the attack, the victim visits a malicious site, which triggers the download through HTML smuggling. The entire payload is constructed in the victim’s browser, and no objects are transferred over the wire.
Before landing on the malicious page, which is hosted on duckdns[.]org, the victim is redirected several times. On the landing page, a JavaScript onload event is invoked, to initialize data for a blob object from which a ZIP file is dynamically constructed.
For the attack to be successful, however, the victim needs to open the ZIP file and execute the .msi file inside it. Once opened, the file fetches from a remote location another ZIP file that has a .jpg extension, and which contains the malicious payload, Menlo Security reveals.
One of the files extracted from the second ZIP archive is Avira.exe, which is signed by Avira. A similar attack abusing Avira’s executable for malware injection was detailed in April last year, targeting users in South America.
Indicators of compromise shared by Menlo Security suggest that Duri is aimed at the same audience. The employed malware, the Metamorfo banking Trojan, has been active since at least 2018 and is using various cloud hosting providers to store payloads. Recently, it was observed reaching targets in the USA, Chile, Spain, Mexico and other regions as well.
“Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it,” the security firm concludes.
Related: ‘Tetrade’ Brazilian Banking Trojans Go International
Related: Guildma Malware Expands Targets Beyond Brazil
Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed
More from Ionut Arghire
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
Latest News
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Ferrari Says Ransomware Attack Exposed Customer Data
