Cybersecurity researchers have found a brand new malware marketing campaign that leverages bogus Google Websites pages and HTML smuggling to distribute a industrial malware known as AZORult so as to facilitate data theft.
“It makes use of an unorthodox HTML smuggling method the place the malicious payload is embedded in a separate JSON file hosted on an exterior web site,” Netskope Menace Labs researcher Jan Michael Alcantara mentioned in a report printed final week.
The phishing marketing campaign has not been attributed to a selected menace actor or group. The cybersecurity firm described it as widespread in nature, carried out with an intent to gather delicate information for promoting them in underground boards.
AZORult, additionally known as PuffStealer and Ruzalto, is an data stealer first detected round 2016. It is usually distributed by way of phishing and malspam campaigns, trojanized installers for pirated software program or media, and malvertising.
As soon as put in, it is able to gathering credentials, cookies, and historical past from internet browsers, screenshots, paperwork matching an inventory of particular extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and information from 137 cryptocurrency wallets. AXX recordsdata are encrypted recordsdata created by AxCrypt, whereas KDBX refers to a password database created by the KeePass password supervisor.
The newest assault exercise includes the menace actor creating counterfeit Google Docs pages on Google Websites that subsequently make the most of HTML smuggling to ship the payload.
HTML smuggling is the identify given to a stealthy method by which legit HTML5 and JavaScript options are abused to assemble and launch the malware by “smuggling” an encoded malicious script.
Thus, when a customer is tricked into opening the rogue web page from a phishing e mail, the browser decodes the script and extracts the payload on the host machine, successfully bypassing typical safety controls corresponding to e mail gateways which might be identified to solely examine for suspicious attachments.
The AZORult marketing campaign takes this strategy a notch increased by including a CAPTCHA barrier, an strategy that not solely offers a veneer of legitimacy but additionally serves as a further layer of safety towards URL scanners.
The downloaded file is a shortcut file (.LNK) that masquerades as a PDF financial institution assertion, launching which kicks off a sequence of actions to execute a sequence of intermediate batch and PowerShell scripts from an already compromised area.
One of many PowerShell scripts (“agent3.ps1”) is designed to fetch the AZORult loader (“service.exe”), which, in flip, downloads and executes one other PowerShell script (“sd2.ps1”) containing the stealer malware.
“It executes the fileless AZORult infostealer stealthily through the use of reflective code loading, bypassing disk-based detection and minimizing artifacts,” Michael Alcantara mentioned. “It makes use of an AMSI bypass method to evade being detected by quite a lot of host-based anti-malware merchandise, together with Home windows Defender.”
“Not like widespread smuggling recordsdata the place the blob is already contained in the HTML code, this marketing campaign copies an encoded payload from a separate compromised web site. Utilizing legit domains like Google Websites may help trick the sufferer into believing the hyperlink is legit.”
The findings come as Cofense revealed the usage of malicious SVG recordsdata by menace actors in latest campaigns to disseminate Agent Tesla and XWorm utilizing an open-source program known as AutoSmuggle that simplifies the method of crafting HTML or SVG smuggled recordsdata.
AutoSmuggle “takes a file corresponding to an exe or an archive and ‘smuggles’ it into the SVG or HTML file in order that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the corporate defined.
Phishing campaigns have additionally been noticed using shortcut recordsdata packed inside archive recordsdata to propagate LokiBot, an data stealer analogous to AZORult with options to reap information from internet browsers and cryptocurrency wallets.
“The LNK file executes a PowerShell script to obtain and execute the LokiBot loader executable from a URL. LokiBot malware has been noticed utilizing picture steganography, multi-layered packing and living-off-the-land (LotL) methods in previous campaigns,” SonicWall disclosed final week.
In one other occasion highlighted by Docguard, malicious shortcut recordsdata have been discovered to provoke a sequence of payload downloads and finally deploy AutoIt-based malware.
That is not all. Customers within the Latin American area are being focused as a part of an ongoing marketing campaign by which the attackers impersonate Colombian authorities businesses to ship booby-trapped emails with PDF paperwork that accuse the recipients of flouting visitors guidelines.
Current throughout the PDF file is a hyperlink that, upon click on, leads to the obtain of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script liable for fetching one of many distant entry trojans like AsyncRAT, njRAT, and Remcos.