Researchers at Menlo Security are warning of a new HTML smuggling attack. In a blog post, the researchers delve into a campaign they have dubbed “Duri.” Duri’s goal is to utilize HTML5 or JavaScript to send malicious file downloads to unsuspecting victims.
There are two ways that HTML smuggling campaigns accomplish this. The first is through sending data URLs on a client device, and the second is through JavaScript blobs that have appropriate MIME types (aka Multipurpose Internet Mail Extensions). It is this second method that Menlo researchers have discovered Duri employing, namely, to force the browser to deliver malicious downloads to a client endpoint.
Duri is thought to have begun last month. It has proven to be an effective means of attack as it can circumnavigate many security programs like firewalls. The actual process of infection is described in the research post as follows:
Once the user clicks on the link, there are multiple levels of redirection before the user lands on an HTML page hosted on duckdns[.]org. The landing page invokes a JavaScript onload that initializes data for a blob object from a base64 encoded variable… a ZIP file is dynamically constructed from the blob object with MIME type as octet/stream and is downloaded to the endpoint. The user still needs to open the ZIP file and execute… The ZIP archive contains an MSI file… there is an execute script code action defined in the custom action of the MSI contents.
As one might guess, as it is with any malicious campaign, there is always an interaction from the victim that allows the malware to be executed. It is more difficult in Duri’s case, however, for victims to discern the malicious nature of the ZIP files. As far as HTML smuggling campaigns go, Duri is incredibly complex and requires constant defensive security awareness.
Featured image: Flickr / Morten Wulff
