The Duri attack campaign which has been launched by an unknown hacking group has revealed that cybercriminals have devised a new intrusion technique – HTML smuggling. It allows hackers to distribute dangerous payloads by utilizing detection evasion by security features.
HTML Smuggling Revealed as A New Hacking Method: Discovered via The Duri Attack Campaigm
At the moment there is no information about the identity of the hackers behind Duri attacks; however, the investigation is ongoing. The discovery of the campaign was done in July 2020 by Menlo security, when experts detected a suspicious download link which was blocked by a web browser security filter. Upon further inspection, it appears that this was not a file, but rather a JavaScript code which was used to deploy malicious payloads to the target system.
This JavaScript code was used to hide the malicious file in itself, the security experts have called this technique HTML Smuggling. This is the use of a combination of several programming languages (HTML5 and JavaScript) in order to generate URLs with malware payloads on-the-fly. By abusing this technique the criminals can send out viruses by serving files directly from within the impacted browser and not rely on an URL pointing to a web host. Using this Duri attack the carried malware is constructed on the client-side browser and no objects are transferred over the Internet — this means that it is much more difficult to detect it by solely relying on some of the traditional security protective features.
A proof-of-concept demonstration shows how a macro-infected Word document can be crafted inside a JavaScript code. By providing addresses using such code the criminals can construct multiple redirects which can lead to the presentation of dangerous Internet pages. HTML Smuggling allows for very convenient distribution of web-based threats:
- Ransomware — These are file encrypting viruses which are designed to encrypt user data with a strong cipher. Usually the files tat are to be processed will be selected from a hacker-created list. Most of the threats of this category will rename the victims files with a given extension. The victims will then be extorted to pay a decryption fee, it is usually in cryptocurrency assets and are to be wired to a secure wallet address.
- Trojan Horse Infections — These are virus threats which are designed to deploy a local client engine silently onto the computers. They will establish a secure connection to the hacker-controlled server and allow them to take over control.
- Cryptocurrency Miners — These are web scripts which can be run from within the browser windows. They are tasked with the downloading and execution of performance-intensive tasks. They place a heavy toll on the essential hardware components and may render the computer completely unusable. For every completed and reported instance the criminals will receive payment in digital cryptocurrency.
Using this Duri attack approach the dropped payloads can be placed in such a way which will install it as a persistent threat. This means that the virus will automatically start when the computer is powered on and it can bypass the installed security services.