from HTML5 & Javascript blob technique to ransomeware - JS is evil (when it is allowed to do more than gui animations)

“The Duri malware, for example, uses the Javascript blob technique.

The attacks are triggered by visiting a website with the malicious code.”

(this could be a well known, sincere, but hacked website)

“By downloading, the malware can install itself on the target device.”

“HTML smuggling is also made possible by the HTML5 “Download” attribute for anchor tags.”

“When a user clicks the HTML link, a download of the file is triggered.”

“The attack therefore uses conventional HTML5 and JavaScript functions.”

“The attack occurs especially in email campaigns.”

“That is, users with Exchange Online mailboxes are also affected.”

“Spear phishing campaign can ransomware”

“This technique was noticed in a spear phishing campaign in May 2021.

“As part of these attacks, the banking Trojan Mekotio as well as AsyncRAT/NJRAT and Trickbot were infiltrated – this also means remote code execution and complete takeover of computers is possible.”

Ransomware also enters networks in this way.”

“The Microsoft 365 Defender Threat Intelligence Team shows what such an attack looks like in a Twitter post.

ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign

src: translated from https://www.security-insider.de/html-smuggling-greift-netzwerke-von-innen-an-a-1109311/

Links:

https://www.bleepingcomputer.com/news/security/duri-campaign-smuggles-malware-via-html-and-javascript/

https://dwaves.de/2018/09/10/javascript-is-evil-a-major-security-problem/

https://dwaves.de/2021/02/26/the-evilness-of-javascript-dont-be-evil-twitter-strikes-again/

https://dwaves.de/2018/11/16/xiaomi-nfc-and-baseband-exploit-confirmed-javascript-is-indeed-evil-also-on-phones/

https://dwaves.de/2017/12/21/bitcoin-zcash-monero-mining-via-javascript-inside-browser-of-website-visitors/

https://dwaves.de/2018/01/04/amd-arm-intel-cpus-all-got-problems-meltdown-and-spectre-javascript-could-steal-your-firefoxs-passwords/

https://dwaves.de/2019/12/17/mail-thunderbird-disable-javascript/

#linux #gnu #gnulinux #opensource #administration #sysops #itsec #itsecurity #js #html5 #html #javascript #cyber #cybersecurity #cybersec

Originally posted at: https://dwaves.de/2022/04/13/from-html5-javascript-blob-technique-to-ransomeware-js-is-evil-when-it-is-allowed-to-do-more-than-gui-animations/

There are no comments yet.