Learn how hybrid work is fueling ransomware attacks and what to do about it.
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Share this article
Menlo Security has been closely monitoring an attack we are naming “Duri.” Duri leverages HTML smuggling to deliver malicious files to users’ endpoints by evading network security solutions such as sandboxes and legacy proxies. Isolation prevents this attack from infecting the endpoint. Here’s what we know.
According to our observations, the Duri campaign started in the beginning of July and is currently active. Earlier this month, we identified a user’s visit to a website and subsequent file download, which was blocked because it was suspicious. Upon investigation, we discovered that the file was downloaded through HTML smuggling.
Traditional network security solutions such as proxies, firewalls, and sandboxes rely on the transfer of objects over the wire. For example, a sandbox might extract file objects such as .exe, .zip, and other suspicious objects from the wire and then send them to the sandbox for detonation. With Duri, the entire payload is constructed on the client side (browser), so no objects are transferred over the wire for the sandbox to inspect.
The malware that Duri downloads is not new. According to Cisco, it has previously been delivered via Dropbox, but the attackers have now displaced Dropbox with other cloud hosting providers and have blended in the HTML smuggling technique to infect endpoints. We speculate that this change in tactic is being used to increase the success rate of compromised endpoints.
As seen above, a ZIP file is dynamically constructed from the blob object with MIME type as octet/stream and is downloaded to the endpoint. The user still needs to open the ZIP file and execute it.
The ZIP archive contains an MSI file [T1218.007]. The .msi file extension indicates that the file is a Microsoft Windows installer and contains the application and all of its dependencies.
unzip PUVG OKZAGE SBKZXONA ETRWDDQGBL .zip
Archive: PUVG OKZAGE SBKZXONA ETRWDDQGBL .zip
inflating: PUVG OKZAGE SBKZXONA ETRWDDQGBL (869261) .msi
file PUVG OKZAGE SBKZXONA ETRWDDQGBL (869261) .msi
PUVG OKZAGE SBKZXONA ETRWDDQGBL (869261) .msi: Composite Document File V2 Document, Little Endian, Os: Windows.
Examining the MSI file shows that there is an execute script code action defined in the custom action of the MSI contents:
The embedded JSCRIPT is obfuscated, and it performs the following actions upon invoke:
The extension in the URL is .jpg, but it is a ZIP file.
While traditional security solutions rely on a detect-and-respond approach to cybersecurity, Menlo enables a Zero Trust approach by forcing a block-or-isolate decision at the point of click. All content is fetched and executed in a remote browser and is cut off from the endpoint, while only safe mirrored content reaches the user’s device. This prevents malware from accessing the endpoint.
Attackers are constantly tweaking their tactics in an effort to evade and bypass security solutions—forcing tools that rely on a detect-and-respond approach to always play catch-up. We believe HTML smuggling is one such technique that will be incorporated into the attackers’ arsenal and used more often to deliver the payload to the endpoint without network solutions blocking it. Menlo’s isolation approach prevents all content from reaching the endpoint—effectively blocking all malware without impacting the native user experience. It’s security without compromise.
Krishnan Subramanian on Aug 18, 2020
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.