While Duri’s exact dropping approach is not commonly seen by other malware, it can be easily detected if the proper controls are put in place. Examples that will allow for the detection of Duri include:
• Unusual HTTP calls to hosts that do not have a domain and only an IP.
• Abnormally large download sizes of files that seem innocuous or files with contents that do not match the file extension – in this case, a zip archive disguised as a jpg file.
• PowerShell calling LNK files from user directories such as the AppData directory.
To read more, please see: https://www.menlosecurity.com/blog/new-attack-alert-duri