Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Ongoing Campaign Uses HTML Smuggling for Malware Delivery

An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.

Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports.

Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

The employed technique, HTML smuggling, relies on HTML5/JavaScript for the download of files, and can be of two types: Data URLs are used for the download; or a JavaScript blob is created, and a specific MIME-type is used to download content.

“In this specific attack, we observed the JavaScript blob technique being used to smuggle malicious files via the browser to the user’s endpoint. Constructing content on the client browser like this evades network security solutions such as sandboxes and proxies,” Menlo Security explains.

As part of the attack, the victim visits a malicious site, which triggers the download through HTML smuggling. The entire payload is constructed in the victim’s browser, and no objects are transferred over the wire.

Before landing on the malicious page, which is hosted on duckdns[.]org, the victim is redirected several times. On the landing page, a JavaScript onload event is invoked, to initialize data for a blob object from which a ZIP file is dynamically constructed.

For the attack to be successful, however, the victim needs to open the ZIP file and execute the .msi file inside it. Once opened, the file fetches from a remote location another ZIP file that has a .jpg extension, and which contains the malicious payload, Menlo Security reveals.

One of the files extracted from the second ZIP archive is Avira.exe, which is signed by Avira. A similar attack abusing Avira’s executable for malware injection was detailed in April last year, targeting users in South America.

Indicators of compromise shared by Menlo Security suggest that Duri is aimed at the same audience. The employed malware, the Metamorfo banking Trojan, has been active since at least 2018 and is using various cloud hosting providers to store payloads. Recently, it was observed reaching targets in the USA, Chile, Spain, Mexico and other regions as well.

“Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it,” the security firm concludes.

Related: ‘Tetrade’ Brazilian Banking Trojans Go International

Related: Guildma Malware Expands Targets Beyond Brazil

Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.