Thursday, November 26, 22:28
Home security The Duri campaign spreads malware via HTML and JavaScript

The Duri campaign spreads malware via HTML and JavaScript

A new attack campaign uses a combination of HTML smuggling techniques and data blobs to prevent malware being detected and downloaded. Named Duri, the campaign takes advantage of the JavaScript blob method that creates the malicious file in the Web browser, thus avoiding sandbox and proxy crawling.

“Traditional network security solutions like proxies, firewalls and sandbox are based on the transfer of objects via cable. For example, a sandbox might extract file objects such as .exe, .zip and other suspicious objects from the cable and then send them to the sandbox for detonation, ”says a report published by Menlo Security.

However, Duri incorporates a special technique known as "HTML smuggling".

In July, investigators at Menlo Security noticed that a suspicious download was blocked from their browser.

On closer inspection, they found that the source of the file was not a URL, but the result of JavaScript code that incorrectly inserted a payload into its machine. victim.

What is HTML smuggling?

HTML smuggling uses a combination of JavaScript, HTML5 and its technologies, such as "data:" URLs to generate on-the-go payload and download services from Browser, instead of a direct URL that "shows" a server.

"With Duri, the entire payload is made by the customer (browser), so no objects are transferred from the cable and so the sandbox is checked," says Menlo's report.

For those interested, Outflank's Stan Hegt explains the technique perfectly.

Using a sample Word document loaded with a macro (.doc), Hegt showed how the file could be created entirely in JavaScript and how perimeter-based crawling systems rely solely on file extension would not suspect that an HTML file is malicious.

In the case of Duri, when the user clicks on the link provided by the attacker, many redirects lead them to an HTML page hosted on

This site then launches JavaScript code to create a "blob" object from a base64 encoding variable contained in the script.

Split Duri payload

As shown, a ZIP file is created from JavaScript code only. At the end of the run, the script requests that this file be downloaded to the web browser.

Interestingly, what is contained in the ZIP is an MSI file, which is not a new payload.

The Menlo report explains, “The malware that Duri downloads is not new. According to Cisco, it had previously been delivered through dropbox, but attackers have now displaced Dropbox with other providers cloud hosting and have been incorporated into the HTML smuggling technique to infect endpoints. ”

Researchers analyzed the MSI file and discovered a dark JScript.

A detailed analysis of the company's Duri campaign along with the Zero Trust detection approach used and a long list of campaign-related compromise indicators (IoCs) are provided in their report.


Please enter your comment!
Please enter your name here

Teo Ehc
Be the limited edition.



The value of Bitcoin and other digital currencies fell

The value of Bitcoin and other digital currencies fell on November 25, which triggers scenarios regarding the duration of the explosion ...

Which are the countries with the most economical internet?

Although the Internet is available in almost every country in the world, the cost of subscription, speeds and salaries of citizens ...

How to choose which extensions will appear in the Firefox toolbar

If you are using extensions with Mozilla Firefox and want to add or remove some extension icons from the toolbar, you can ...

WhatsApp OTP Scam: steps to avoid hackers

WhatsApp is gaining more and more reputation as one of the most used mobile messaging applications worldwide, with more users ...

Sophos notifies some customers that their personal information has been exposed

The British cybersecurity and hardware company Sophos sent an email to some of its customers to inform them that their personal ...

A $ 6 million fine was imposed on Facebook for data sharing

Facebook has been fined 6,7 billion won (about $ 6 million) for sharing user data from Korea without ...

How to turn off "Blood Oxygen Monitoring" on the Apple Watch

Apple Watch Series 6 and newer versions come with "blood oxygen monitoring" function. It records even in the background the ...

Ransomware attack hits Baltimore school district!

The Baltimore School District was attacked by ransomware on Nov. 25 and shut down its affected network systems. THE...

Google Chrome: Execute commands via the address bar

Google has released a new feature in Google Chrome 87 that lets you run commands from the address bar.

Belden: Network device maker under cyber attack!

The manufacturer of network devices "Belden" was attacked by cyber, as a result of which the hackers behind it stole files containing information ...