Threat Watch

Duri Malware Campaign Smuggles Downloads in Browser Data URLs

In a recent blog, Menlo Security analyzed an ongoing campaign by malware it has dubbed “Duri.” Duri attempts to smuggle its payloads by generating them in-browser two ways: delivery by Data URL or by creating a JavaScript blob with the appropriate MIME-type that results in a download on the client device. By taking this approach, it can evade simple Anti-Virus (AV) detections that are limited by size and capability. Based on the activity it performs on a victim’s endpoint, it should be relatively easy to detect. Duri drops into a user’s AppData\Roaming directory and writes a LNK file with a random name there. An easier, albeit later, method of detection is by looking through PowerShell logs for process creations of a .lnk file.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

While Duri’s exact dropping approach is not commonly seen by other malware, it can be easily detected if the proper controls are put in place. Examples that will allow for the detection of Duri include:
• Unusual HTTP calls to hosts that do not have a domain and only an IP.
• Abnormally large download sizes of files that seem innocuous or files with contents that do not match the file extension – in this case, a zip archive disguised as a jpg file.
• PowerShell calling LNK files from user directories such as the AppData directory.

To read more, please see: https://www.menlosecurity.com/blog/new-attack-alert-duri

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support