Netskope Threat Labs revealed a new phishing campaign that uses Google Sites to spread the Azorult information-stealing malware. The campaign, aimed at collecting sensitive data for sale on the darknet, has not been linked to any specific attacker or group.
Azorult, also known as Puffstealer and Ruzalto, is a malicious program designed to steal information. First discovered in 2016, it spreads through various methods including phishing, infected software installers, fake cheats for games, and fraudulent advertising.
Once installed, Azorult collects various data including accounting information, browser history, screenshots, and documents with specific extensions. It also targets data from 137 different cryptocurrency wallets. The malware encrypts AXX files created by Axcrypt and KDBX files which are password databases created by Keepass.
In the recent attack, the attackers used fake Google Docs pages created through Google Sites to deliver malicious code using the HTML Smuggling technique. This method bypasses standard security measures, including email gateways that typically scan for suspicious attachments.
The campaign also employs Captcha to add credibility and serve as an extra layer of protection against URL scanners. The malicious file downloaded appears as a Windows shortcut disguised as a bank account statement in PDF format. Once executed, the shortcut triggers a series of actions to run intermediary scripts and PowerShell scripts through a compromised domain.