In a recent blog, Menlo Security analyzed an ongoing campaign by malware it has dubbed “Duri.” Duri attempts to smuggle its payloads by generating them in-browser two ways: delivery by Data URL or by creating a JavaScript blob with the appropriate MIME-type that results in a download on the client device. By taking this approach, it can evade simple Anti-Virus (AV) detections that are limited by size and capability. Based on the activity it performs on a victim’s endpoint, it should be relatively easy to detect. Duri drops into a user’s AppData\Roaming directory and writes a LNK file with a random name there. An easier, albeit later, method of detection is by looking through PowerShell logs for process creations of a .lnk file.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security