Friday, July 19, 2024
EHA

Azorult Malware Abuses Google Sites To Steal Login Credentials

A new evasive Azorult campaign that uses HTML smuggling to deliver a malicious JSON payload from an external website. 

The JSON file is then loaded using reflective code loading, a fileless technique that bypasses disk-based detection and also employs an AMSI bypass to avoid being flagged by antivirus software

A sophisticated campaign targets the healthcare industry and steals sensitive information, including login credentials, crypto wallet data, and browser information.  

Google Sites Exploited For HTML Smuggling Attacks 

Adversaries launched an attack using HTML smuggling within fake Google Docs pages on Google Sites, which tricked victims into downloading a malicious payload disguised as a legitimate Google Doc, Netskope said.

Unlike typical HTML smuggling where the payload resides in Javascript, this instance embedded the base64-encoded payload within a separate JSON file hosted on a different domain. 

Upon visiting the website, the victim’s browser unknowingly downloads the JSON and extracts the malicious payload. 

An attacker’s website bypasses scanners with a CAPTCHA and delivers HTML that downloads a disguised LNK shortcut. 

The LNK triggers a Powershell script to download a base64 encoded payload, decodes it, creates a scheduled task to execute the script, and then deletes it. 

The downloaded Javascript copies itself checks for a specific file for self-deletion and fetches two more Powershell scripts to execute.  

Attackers leverage reflective code loading to evade detection. They use two Powershell scripts, agent1.ps1 and agent3.ps1. Agent1.ps1 disables AMSI scanning. 

Agent3.ps1 downloads an Azorult loader and shellcode in memory allocates memory for them, and uses CreateThread to execute them within the same process. 

The downloaded loader then retrieves another Powershell script, sd2.ps1, which decrypts and executes the Azorult binary stored within itself.  

Azorult, a.NET infostealer, targets sensitive user data, and after in-memory execution, it steals credentials, browser data, and crypto wallet information, leveraging Curve25519 cryptography to encrypt stolen data for stealthy exfiltration to the C2 server via HTTP. 

It first captures a full-screen screenshot, and then it pilfers browser data (logins, cookies, browsing history) from Chrome and Firefox by copying specific files, and then it hunts for popular crypto wallet extensions on Chrome, Edge, and Firefox and exfiltrates their data if found. 

Sensitive Documents

Target File Extension
File Name Keywords
Unwanted File extension

Azorult scans the desktop for sensitive files based on extensions and keywords and it bypasses specific file types while searching. Upon finding a target file, it reads its content and stores it in memory. 

The data is compressed and encrypted using a pre-shared secret before transmission, and the WebRequest class is leveraged to send the encrypted data along with the public key over HTTPS to the attacker’s command and control server. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles