Multi-Device Licenses (Volume Discounts)

Change Region

English Português
Threat Database Malware Duri Malware

Duri Malware

By GoldSparrow in Malware
Translate To:
English

Duri is the name given to an ongoing cyberattack detected by the researchers at Menlo Security. The hackers have employed HTML smuggling and data blobs to bypass traditional network security solutions such as sandboxes and proxies and deliver malware payloads.

HTML smuggling is an attack method that doesn't exploit system vulnerabilities or weaknesses. Instead, the hackers take advantage of legitimate HTML5/JavaScript features to initiate file downloads. The particular method used in the Duri campaign involves the creation of a JavaScript blob that possesses the MIME-type required for the download of files on the targeted computer. HTML smuggling is effective against security tools that rely on the transfer of files through the wire, particularly. In the Duri attack, however, the entire malware payload gets created on the victim's system.

For the attack to trigger, the targeted user has to click on a link that gets redirected multiple times before finally opening an HTML page hosted on duckdns.org. The landing page initiates a JavaScript online that generates a data blob from a base64-encoded variable. From the data blob, a zip file is constructed and downloaded onto the victim's device subsequently. It should be noted that the malware payload cannot proceed on its own, the user has to open the zip file manually and execute the MSI (Microsoft Windows installer) file contained inside.

After analyzing the MSI file, the cybersecurity experts noticed an obfuscated JSCRIPT code embedded in it. The corrupted code can carry out several functions when it is triggered, such as downloading a zip file from hxxp://104.214.115.159/mod/input20[.]jpg and extracting two files from it - Avira.exe and rundll.exe. An LNK file is created in the %appdata% folder, and by creating an autorun key for it, the malware threat achieves persistence on the infected machine.

The specific malware used in the Duri attack has not been revealed, but the researchers did mention that it is not a new threat and it has been delivered through Dropbox previously.

Related Posts

Trending

Most Viewed

Loading...