发布时间:2024年03月19日         来源:知机安全

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.

网络安全研究人员发现了一个新的恶意软件攻击活动,利用虚假的Google Sites页面和HTML走私来分发一种名为AZORult的商业恶意软件,以便进行信息窃取。

"It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.

Netskope Threat Labs的研究员Jan Michael Alcantara在上周发布的一份报告中表示,它使用了一种非常规的HTML走私技术,其中恶意载荷嵌入在托管在外部网站上的单独JSON文件中。

The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.


AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.


Once installed, it's capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.


The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.

最新的攻击活动涉及威胁行为者在Google Sites上创建伪造的Google Docs页面,随后利用HTML走私传递恶意载荷。

HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by "smuggling" an encoded malicious script.


Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.


The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.


The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.


One of the PowerShell scripts ("agent3.ps1") is designed to fetch the AZORult loader ("service.exe"), which, in turn, downloads and executes another PowerShell script ("sd2.ps1") containing the stealer malware.


"It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts," Michael Alcantara said. "It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender."

Michael Alcantara表示,"它通过使用反射式代码加载悄无声息地执行无文件AZORult信息窃取器,绕过基于磁盘的检测并最小化遗留文件。它使用一种AMSI绕过技术来避开各种基于主机的反恶意软件产品的检测,包括Windows Defender。"

"Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate."

"与常见的走私文件不同,其中blob已经在HTML代码中,这次攻击活动是从另一个被入侵的站点复制编码的载荷。使用像Google Sites这样的合法域名有助于欺骗受害者相信链接是合法的。"

The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.
这些发现出现在Cofense披露的消息之际,威胁行为者最近利用恶意SVG文件传播Agent Tesla和XWorm,使用了一个名为AutoSmuggle的开源程序,简化了制作HTML或SVG走私文件的过程。

AutoSmuggle "takes a file such as an exe or an archive and 'smuggles' it into the SVG or HTML file so that when the SVG or HTML file is opened, the 'smuggled' file is delivered," the company explained.

Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.

"The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns," SonicWall disclosed last week.

In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.

That's not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.

Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.
PDF文件中包含一个链接,点击后会下载一个ZIP存档,其中包含一个VBScript。执行时,VBScript会释放一个负责获取Remote Access Trojans(如AsyncRAT、njRAT和Remcos)之一的PowerShell脚本。




升级换代到 3Gweb®