Dismiss this notice
Avast Premier Photo Caption - [Only registered and activated users can see links Click here to register]

Dismiss this notice
FastestVPN Accounts Giveaway - [Only registered and activated users can see links Click here to register]


Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Strange Bits: HTML Smuggling and GitHub Hosted Malware
#1
Information 
Quote:
[Image: G_DATA_Blog_StrangeBits_Blue_Header.jpg]

Sometimes we see odd stuff, like malware that employs a technique called "HTML Smuggling". Also, malware on GitHub seems to be a thing these days.


"That's strange..."

Many important discoveries do not start with a shouting of „Eureka” anymore, as they did in the days of old. Instead, the most intriguing bits of modern research will at some point contain the phrase “That’s strange…”, followed by more prodding and poking and – hopefully – a lightbulb moment. This series that we call "Strange Bits" contains many findings that struck our analysts as odd, either because they do not seem to make any sense at the time or because a malicious program exhibits behaviors that none of us have seen before. Maybe these findings will spark ideas in other fellow researchers – maybe those findings are just what it says on the tin: Strange….

DanaBot loader uses HTML smuggling

This email has an unusual way to store contained malware. The email[1] displays polish text which prompts the user to click on a download link. The translated text says "This file can not be previewed. You can download the file."

The <a> tag for this link has a download attribute with the name of the dropped ZIP archive: dokumentacja_28380.zip[2]. However, the referenced data in the href attribute is not downloaded from a URL but saved as a base64 string using the data URI scheme. This is also called HTML smuggling (thanks to Rich Warren who gave me a hint to the blog post).
[Only registered and activated users can see links Click here to register]
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Recent Posts
Hackers Use Fake NordVPN Website to Deli...
The attackers who ...silversurfer — 15:10
Steam Accounts Being Stolen Through Elab...
An elaborate scam i...silversurfer — 15:02
Microsoft Confirms Windows 10 1903 Updat...
In an update to th...silversurfer — 07:50
Windows Updates Start Rolling Out to Fix...
Microsoft has star...silversurfer — 07:48
GFYI [Official] Avast Premier MakeUSLau...
Thanks for the Givea...Mohammad.Poorya — 11:54

[-]
Birthdays
Today's Birthdays
avatar (30)hyxamuc
Upcoming Birthdays
avatar (48)isyqop
avatar (38)AntoineLer
avatar (32)prefenouff
avatar (33)emogig
avatar (35)Isabelle88Nes
avatar (35)ferpuMip
avatar (32)kinotExaro
avatar (44)HerbertPab
avatar (41)Susanskymn
avatar (35)stepaRurry
avatar (40)MichaelPlaup
avatar (33)JasonSoult

[-]
Online Staff
There are no staff members currently online.

>