HTML smuggling techniques bypass traditional network security solutions, such as email scanners, proxies, and sandboxes, by using the features of HTML5 and Javascript. This is done by generating malicious HTML code within the browser on the target device that is already within the security perimeter of the network. Most network security solutions work by monitoring the “wire” or stream of data entering and leaving the network for patterns and signatures of known or suspected malware within the byte stream. Through the use of HTML smuggling, the malicious payload is built within the browser on the target device so that no objects are transferred over the wire for detection by perimeter network security systems.

Attacks of this type allow a malicious actor to “smuggle” an encoded script within an HTML attachment or specially crafted web page. If the target opens the HTML in their web browser, the malicious script is decoded and the payload is deployed to their device. Therefore, instead of a malicious executable passing directly through a network, the attacker builds the malware locally behind a firewall.

The goal of HTML smuggling is to deliver a malicious payload to the target device, and this is usually done by downloading via a data URL (data 🙂 or by creating a Javascript blob with the appropriate MIME type. to trigger a download to the device. client device. The Duri malware, for example, uses the Javascript blob technique to create and download the malicious payload on the target device.

When triggered by visiting a malicious website, Duri’s preloader uses Javascript to create a ZIP file and deposit it on the target PC. Then the user must be tricked into opening the ZIP file. If this happens, the contents of the ZIP file are invoked: a Windows Installer package that will install the malware payload on the target device.

This threat is not unstoppable either, a good network security design uses multiple layers of security provided by different technologies to achieve a “defense in depth”. Therefore, even if the malware manages to pass the perimeter of the network, it could be detected or blocked by other defensive systems within the network.


Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *