Azorult Malware Evades Detection: New Campaign Exposed

Netskope Threat Labs has uncovered a new campaign leveraging Google Sites phishing pages to disseminate the info-stealer AZORult. This phishing endeavor is not yet attributed to any specific malefactor or group; it aims to harvest sensitive data for subsequent sale on the dark web.

AZORult, also known as PuffStealer and Ruzalto, is a malicious information theft program first identified in 2016. It propagates through phishing, infected pirated software installers, counterfeit game cheats, and fraudulent advertisements.

Azorult Loader General Information using Detect It Easy

Once installed, AZORult collects account credentials, cookies, browsing history, screenshots, documents with specific extensions (TXT, DOC, XLS, DOCX, XLSX, AXX, and KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files generated by AxCrypt, while KDBX files are password database files created by the password manager KeePass.

In the detected attack, perpetrators used Google Sites to create counterfeit Google Docs pages, which then employed HTML Smuggling to deliver malicious code. This technique circumvents standard security measures, including email gateways that typically screen for suspicious attachments.

The campaign also utilizes CAPTCHA, which not only lends an air of legitimacy but also serves as an additional layer of protection against URL scanners.

The malicious file downloaded is a Windows shortcut disguised as a PDF bank statement. Executing the shortcut initiates a sequence of actions to run intermediary scripts and PowerShell scripts from an already compromised domain.