HTML Smuggling Campaign Is Stopped by the Menlo Security Cloud Platform
Menlo Security has been closely monitoring an attack we are naming “Duri.” Duri leverages HTML smuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy proxies. Isolation prevents this attack from infecting the endpoint. Here’s what we know.
What Is HTML Smuggling ?
Deliver the download via Data URLs on the client device.
What Is Duri?
According to our observations, the Duri campaign started in the beginning of July and is currently active. Earlier this month, we identified a user’s visit to a website and subsequent file download, which was blocked because it was suspicious. Upon investigation, we discovered that the file was downloaded through HTML smuggling.
Traditional network security solutions such as proxies, firewalls, and sandboxes rely on the transfer of objects over the wire. For example, a sandbox might extract file objects such as .exe, .zip, and other suspicious objects from the wire and then send them to the sandbox for detonation. With Duri, the entire payload is constructed on the client side (browser), so no objects are transferred over the wire for the sandbox to inspect.
What Tactics Does Duri Use?
The malware that Duri downloads is not new. According to Cisco, it has previously been delivered via Dropbox, but the attackers have now displaced Dropbox with other cloud hosting providers and have blended in the HTML smuggling technique to infect endpoints. We speculate that this change in tactic is being used to increase the success rate of compromised endpoints.
As seen above, a ZIP file is dynamically constructed from the blob object with MIME type as octet/stream and is downloaded to the endpoint. The user still needs to open the ZIP file and execute it.
Malicious MSI Dropper
The ZIP archive contains an MSI file [T1218.007]. The .msi file extension indicates that the file is a Microsoft Windows installer and contains the application and all of its dependencies.
unzip PUVG\ OKZAGE\ SBKZXONA\ ETRWDDQGBL\ .zip
Archive: PUVG OKZAGE SBKZXONA ETRWDDQGBL .zip
inflating: PUVG OKZAGE SBKZXONA ETRWDDQGBL (869261) .msi
file PUVG\ OKZAGE\ SBKZXONA\ ETRWDDQGBL\ \(869261\)\ \ .msi
PUVG OKZAGE SBKZXONA ETRWDDQGBL (869261) .msi: Composite Document File V2 Document, Little Endian, Os: Windows.
Examining the MSI file shows that there is an execute script code action defined in the custom action of the MSI contents:
Microsoft JSCRIPT Analysis
The embedded JSCRIPT is obfuscated, and it performs the following actions upon invoke:
Fetches a ZIP file from a remote location: hxxp://104[.]214[.]115[.]159/mod/input20[.]jpg
The extension in the URL is .jpg, but it is a ZIP file.
The ZIP file is downloaded to the Public Documents folder and two files are extracted from the ZIP archive: Avira.exe and rundll.exe.
The Avira.exe file is renamed to a randomly named EXE file. The rundll.exe file is renamed to a randomly named file with a .bmp extension.
A LNK file gets created in the %appdata% (roaming) folder, and the target of the LNK file is set to a randomly renamed Avira.exe file [T1547.009].
It achieves persistence by creating an autorun key for the above LNK file [T1547.001].
The final command that gets run is [T1059.001]:
powershell.exe cd\;cd 'C:\Users\John Smith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 60;Start-Process 'YOUXQNWXME.lnk'
The extracted Avira.exe file was a signed ~500MB file from Avira, which was present with a rundll.exe, and there was no evidence of process injection or side-loading techniques observed that could be used to further analyze and examine the behavior.
How Does Menlo Security Get Visibility into Duri?
While traditional security solutions rely on a detect-and-respond approach to cybersecurity, Menlo enables a Zero Trust approach by forcing a block-or-isolate decision at the point of click. All content is fetched and executed in a remote browser and is cut off from the endpoint, while only safe mirrored content reaches the user’s device. This prevents malware from accessing the endpoint.
Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it. Menlo’s isolation approach prevents all content from reaching the endpoint—effectively blocking all malware without impacting the native user experience. It’s security without compromise.