Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
AZORult adapts to modern defenses with a clever campaign.
Netskope Threat Labs has revealed a new campaign that uses Google Sites phishing pages to distribute the AZORult infostiler. The phishing campaign is not yet associated with any specific attacker or group, but is aimed at collecting sensitive data for subsequent sale on the darknet.
AZORult (also known as PuffStealer and Ruzalto) is an information-stealing malware first discovered in 2016. It is distributed through phishing, infected installers of pirated software, fake cheats for games, as well as through fraudulent advertising.
After installation, AZORult collects credentials, cookies and browser history, screenshots, documents with certain extensions (TXT, DOC, XLS, DOCX, XLSX, AXX and KDBX), as well as data from 137 cryptocurrency wallets. The AXX files are encrypted files created by AxCrypt, and KDBX is a password database created by the KeePass password manager.
In the detected attack, attackers created fake Google Docs pages through Google Sites, which then use the HTML Smuggling technique to deliver malicious code. This method allows you to bypass standard security measures, including email gateways that usually check for suspicious attachments.
The campaign also uses CAPTCHA, which not only adds credibility, but also serves as an additional layer of protection against URL crawlers.
The downloaded malicious file is a Windows shortcut that disguises itself as a bank statement in PDF format. Running the shortcut initiates a series of actions to execute intermediate scripts and PowerShell scripts from an already compromised domain.
Netskope Threat Labs has revealed a new campaign that uses Google Sites phishing pages to distribute the AZORult infostiler. The phishing campaign is not yet associated with any specific attacker or group, but is aimed at collecting sensitive data for subsequent sale on the darknet.
AZORult (also known as PuffStealer and Ruzalto) is an information-stealing malware first discovered in 2016. It is distributed through phishing, infected installers of pirated software, fake cheats for games, as well as through fraudulent advertising.
After installation, AZORult collects credentials, cookies and browser history, screenshots, documents with certain extensions (TXT, DOC, XLS, DOCX, XLSX, AXX and KDBX), as well as data from 137 cryptocurrency wallets. The AXX files are encrypted files created by AxCrypt, and KDBX is a password database created by the KeePass password manager.
In the detected attack, attackers created fake Google Docs pages through Google Sites, which then use the HTML Smuggling technique to deliver malicious code. This method allows you to bypass standard security measures, including email gateways that usually check for suspicious attachments.
The campaign also uses CAPTCHA, which not only adds credibility, but also serves as an additional layer of protection against URL crawlers.
The downloaded malicious file is a Windows shortcut that disguises itself as a bank statement in PDF format. Running the shortcut initiates a series of actions to execute intermediate scripts and PowerShell scripts from an already compromised domain.
