Cybersecurity researchers have found a brand new malware marketing campaign that leverages bogus Google Websites pages and HTML smuggling to distribute a business malware referred to as AZORult with the intention to facilitate data theft.
“It makes use of an unorthodox HTML smuggling method the place the malicious payload is embedded in a separate JSON file hosted on an exterior web site,” Netskope Menace Labs researcher Jan Michael Alcantara mentioned in a report revealed final week.
The phishing marketing campaign has not been attributed to a selected menace actor or group. The cybersecurity firm described it as widespread in nature, carried out with an intent to gather delicate information for promoting them in underground boards.
AZORult, additionally referred to as PuffStealer and Ruzalto, is an data stealer first detected round 2016. It is sometimes distributed through phishing and malspam campaigns, trojanized installers for pirated software program or media, and malvertising.
As soon as put in, it is able to gathering credentials, cookies, and historical past from net browsers, screenshots, paperwork matching an inventory of particular extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and information from 137 cryptocurrency wallets. AXX information are encrypted information created by AxCrypt, whereas KDBX refers to a password database created by the KeePass password supervisor.
The newest assault exercise includes the menace actor creating counterfeit Google Docs pages on Google Websites that subsequently make the most of HTML smuggling to ship the payload.
HTML smuggling is the identify given to a stealthy method wherein official HTML5 and JavaScript options are abused to assemble and launch the malware by “smuggling” an encoded malicious script.
Thus, when a customer is tricked into opening the rogue web page from a phishing e mail, the browser decodes the script and extracts the payload on the host system, successfully bypassing typical safety controls similar to e mail gateways which can be recognized to solely examine for suspicious attachments.
The AZORult marketing campaign takes this method a notch greater by including a CAPTCHA barrier, an method that not solely provides a veneer of legitimacy but additionally serves as an extra layer of safety in opposition to URL scanners.
The downloaded file is a shortcut file (.LNK) that masquerades as a PDF financial institution assertion, launching which kicks off a sequence of actions to execute a sequence of intermediate batch and PowerShell scripts from an already compromised area.
One of many PowerShell scripts (“agent3.ps1”) is designed to fetch the AZORult loader (“service.exe”), which, in flip, downloads and executes one other PowerShell script (“sd2.ps1”) containing the stealer malware.
“It executes the fileless AZORult infostealer stealthily through the use of reflective code loading, bypassing disk-based detection and minimizing artifacts,” Michael Alcantara mentioned. “It makes use of an AMSI bypass method to evade being detected by a wide range of host-based anti-malware merchandise, together with Home windows Defender.”
“In contrast to frequent smuggling information the place the blob is already contained in the HTML code, this marketing campaign copies an encoded payload from a separate compromised web site. Utilizing official domains like Google Websites may help trick the sufferer into believing the hyperlink is official.”
The findings come as Cofense revealed using malicious SVG information by menace actors in current campaigns to disseminate Agent Tesla and XWorm utilizing an open-source program referred to as AutoSmuggle that simplifies the method of crafting HTML or SVG smuggled information.
AutoSmuggle “takes a file similar to an exe or an archive and ‘smuggles’ it into the SVG or HTML file in order that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the corporate defined.
Phishing campaigns have additionally been noticed using shortcut information packed inside archive information to propagate LokiBot, an data stealer analogous to AZORult with options to reap information from net browsers and cryptocurrency wallets.
“The LNK file executes a PowerShell script to obtain and execute the LokiBot loader executable from a URL. LokiBot malware has been noticed utilizing picture steganography, multi-layered packing and living-off-the-land (LotL) methods in previous campaigns,” SonicWall disclosed final week.
In one other occasion highlighted by Docguard, malicious shortcut information have been discovered to provoke a sequence of payload downloads and finally deploy AutoIt-based malware.
That is not all. Customers within the Latin American area are being focused as a part of an ongoing marketing campaign wherein the attackers impersonate Colombian authorities businesses to ship booby-trapped emails with PDF paperwork that accuse the recipients of flouting visitors guidelines.
Current inside the PDF file is a hyperlink that, upon click on, ends in the obtain of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script liable for fetching one of many distant entry trojans like AsyncRAT, njRAT, and Remcos.