HTML smuggling technique behind 'Duri' campaign to deliver malware, researchers warn

The attack can evade network security solutions, including firewalls, legacy proxies and sandboxes

Researchers at cyber security firm Menlo Security claim to have identified a new cyber campaign that is using a combination of HMTL smuggling techniques - deployingHTML5/JavaScript features to deliver file downloads -and data blobs to deliver malware onto victim machines.

Dubbed ' Duri ', the campaign has been active since July, according to the researchers, and can bypass network security solutions, including firewalls, legacy proxies and sandboxes.

In an online post, the Menlo Security team said that it learned about the campaign after tracking a user's visit to a website. The visit resulted in a file download, which was flagged as suspicious by Menlo ' s security software and blocked from running.

A detailed analysis of the file revealed that its source was not a URL but instead it was generated by JavaScript code, which smuggled the malicious payload to the victim's machine.

According to researchers, this particular type of attack is launched by first sending a malicious link to potential targets. Once the link is clicked, attackers use a JavaScript blob technique to smuggle malicious file to the user ' s endpoint through the browser.

HTML smuggling is usually accomplished through two ways:

• Deliver the download via Data URLs on the client device
• Create a JavaScript blob with the appropriate MIME-type which results in a download on the client device

The word "blob" refers to "Binary Large Object" - a collection of binary data stored as a single entity in a database management system. Blobs are usually images, audio or other multimedia objects, though sometimes binary executable code is also stored as a blob.

The researchers said that the malware downloaded in the Duri campaign is not new, and attackers have previously delivered it via Dropbox. They have now started using HTML smuggling, most likely to increase their success rate of infecting devices.

The researchers believe HTML smuggling will be increasingly used by attackers in coming days in attempts to deliver the payload to the endpoint.

"Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up," the researchers said.

"We believe HTML smuggling is one such technique that will be incorporated into the attackers ' arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it."