Dubbed 'Duri', the campaign has been active since July, according to the researchers, and can bypass network security solutions, including firewalls, legacy proxies and sandboxes.
In an online post, the Menlo Security team said that it learned about the campaign after tracking a user's visit to a website. The visit resulted in a file download, which was flagged as suspicious by Menlo's security software and blocked from running.
HTML smuggling is usually accomplished through two ways:
- Deliver the download via Data URLs on the client device
The word "blob" refers to "Binary Large Object" - a collection of binary data stored as a single entity in a database management system. Blobs are usually images, audio or other multimedia objects, though sometimes binary executable code is also stored as a blob.
The researchers said that the malware downloaded in the Duri campaign is not new, and attackers have previously delivered it via Dropbox. They have now started using HTML smuggling, most likely to increase their success rate of infecting devices.
The researchers believe HTML smuggling will be increasingly used by attackers in coming days in attempts to deliver the payload to the endpoint.
"Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up," the researchers said.
"We believe HTML smuggling is one such technique that will be incorporated into the attackers' arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it."
Researchers exploited a bug in Emotet malware to create a killswitch, containing its spread for six months
But Emotet's operators have now patched the flaw
Upgrade to latest Struts version immediately, warns Apache Struts Security Team
The malware is being deployed in real-world attacks by hackers working for Russian military intelligence unit, they state
The vulnerabilities have now been patched by Microsoft
Citrix has addressed five vulnerabilities in its CEM solution