Threat Watch

Duri Malware Campaign Smuggles Downloads in Browser Data URLs

In a recent blog, Menlo Security analyzed an ongoing campaign by malware it has dubbed “Duri.” Duri attempts to smuggle its payloads by generating them in-browser two ways: delivery by Data URL or by creating a JavaScript blob with the appropriate MIME-type that results in a download on the client device. By taking this approach, it can evade simple Anti-Virus (AV) detections that are limited by size and capability. Based on the activity it performs on a victim’s endpoint, it should be relatively easy to detect. Duri drops into a user’s AppData\Roaming directory and writes a LNK file with a random name there. An easier, albeit later, method of detection is by looking through PowerShell logs for process creations of a .lnk file.

ANALYST NOTES

While Duri’s exact dropping approach is not commonly seen by other malware, it can be easily detected if the proper controls are put in place. Examples that will allow for the detection of Duri include:
• Unusual HTTP calls to hosts that do not have a domain and only an IP.
• Abnormally large download sizes of files that seem innocuous or files with contents that do not match the file extension – in this case, a zip archive disguised as a jpg file.
• PowerShell calling LNK files from user directories such as the AppData directory.

To read more, please see: https://www.menlosecurity.com/blog/new-attack-alert-duri