An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.
Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.
As part of the attack, the victim visits a malicious site, which triggers the download through HTML smuggling. The entire payload is constructed in the victim’s browser, and no objects are transferred over the wire.
For the attack to be successful, however, the victim needs to open the ZIP file and execute the .msi file inside it. Once opened, the file fetches from a remote location another ZIP file that has a .jpg extension, and which contains the malicious payload, Menlo Security reveals.
One of the files extracted from the second ZIP archive is Avira.exe, which is signed by Avira. A similar attack abusing Avira’s executable for malware injection was detailed in April last year, targeting users in South America.
Indicators of compromise shared by Menlo Security suggest that Duri is aimed at the same audience. The employed malware, the Metamorfo banking Trojan, has been active since at least 2018 and is using various cloud hosting providers to store payloads. Recently, it was observed reaching targets in the USA, Chile, Spain, Mexico and other regions as well.
“Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it,” the security firm concludes.