Duri Malware

The Duri Malware is a website-embedded threat that tricks users into downloading corrupted files, such as Trojan installers, onto their computers. Unlike most threat types of this nature, such as an Exploit Kit, the Duri Malware doesn't depend on conventional, usually-patchable security vulnerabilities. Users should maintain careful browser settings and have active anti-malware protection to block the Duri Malware or remove the payload.

Trojan Payloads with 'On-Site' Construction

The ingenuity of threat actors navigating the push-and-pull of cyber-security solutions versus their payloads is always growing. It's rare for a rule about online attacks not to be broken, sooner or later. The Duri Malware is a loophole-based threat that works around many of the limitations that define many of the well-known delivery methods for threatening and unwanted software, such as the exploit-dependent EKs like the RIG Exploit Kit. Although users have to accept a download, in many cases, the Duri Malware's strategy may lend a false sense of security to the request.

Threat actors are implanting the Duri Malware onto unsafe and hacked websites as of July 2020, although malware experts haven't confirmed any social engineering lures in use. Once the victim browses the website (usually, after several redirects from previous domains), the Duri Malware loads automatically and establishes a drive-by-download attack. However, unlike an Exploit Kit, the Duri Malware doesn't exploit a software vulnerability.

Instead, the Duri Malware abuses certain features of JavaScript and HTML5 – by either a properly MIME-typed JS blob or an inline embedded file via a DATA URL. The dynamic generation of the file can bypass many security solutions watching for more typical data-downloading activities. The use of overt features, instead of vulnerabilities, also helps the Duri Malware trigger despite any security patches that close old drive-by-download vulnerabilities.

The consequence is a ZIP download prompt that attributes itself to Microsoft falsely, with unwitting users who accept it infecting their computers.

Taking Unwanted Dynamism Out of Your Web-Browsing Life

The Duri Malware's campaign operates as a dedicated delivery method for a previously-known but unspecified family of threatening software. However, the significant ingenuity of its tactics doesn't make it a perfect or flawless means of attacking Web surfers. Malware researchers recommend the following as helpful for limiting drive-by-downloads from the Duri Malware and most, other threats of a similar classification:

• Users can use JavaScript by default or ask domains to request permission for running it.
• Script-blocking add-ons may help against the Duri Malware, and also against the browser-redirecting attempts associated with it.
• Customers of appropriate Web-browsing security products may be blacklisting known-unsafe domains by default.
• Security solutions with advanced download-monitoring functions may catch the Duri Malware attacks, a form of 'HTML smuggling,' despite bypassing some services like proxies.

Perhaps most invaluably, the Duri Malware requires the user's consent for downloading the ZIP archive. Users should always initiate a thorough vetting process for downloads from unknown websites and check addresses for possible attack symptoms, like a typo-squatting URL.

Suitably-equipped anti-malware technology should remove the Duri Malware's payloads on sight or block the drive-by-download, regardless of any obfuscation or HTML smuggling techniques.

The Duri Malware uses a signed file as part of its payload, which supports the impression that its threat actors have experience and financial resources. Like 'normal' warfare, the battle for safety on the Web shows a daily evolution, and the Duri Malware is a particularly flashy weapon leveling at users' PCs.