Rewterz Threat Alert – Forged Google Sites Being Used by Threat Actors to Deliver AZORult Malware – Active IOCs

Severity

High

Analysis Summary

A novel malware campaign delivering AZORult was discovered by cybersecurity researchers, which uses HTML smuggling and forged Google site pages to spread the malware commercially to steal sensitive information.

AZORult, an information stealer, also known as PuffStealer and Ruzalto, is typically spread through phishing emails, pirated software, or media having trojanized installers and malvertising. According to the cybersecurity firm, it was a widespread operation to gather private information to sell it on dark web forums. Once installed, the malware is capable of collecting data from various sources, including web browsers, screenshots, documents, and cryptocurrency wallets, including encrypted files and password databases with extensions (.TXT, .DOC, .XLS, .DOCX, . XLSX, . AXX, and .KDBX).

In the AZORult malware attack, the threat actor uses Google Sites to create phony Google Docs pages that deliver payloads to the victim’s system via HTML smuggling. HTML smuggling is a covert technique in which legitimate HTML5 and JavaScript features are misused to smuggle an encoded malicious script to assemble and release malware.

Therefore, when the victim is deceived into opening the malicious site through a phishing email, the browser decodes the code and deploys the payload on the host’s device, effectively bypassing the security controls with the help of CAPTCHA barriers that add another line of defense.

The installed file is a Windows shortcut file that masquerades itself as a PDF bank statement, launching a series of actions to execute intermediate batch and PowerShell scripts from a compromised domain. One of the PowerShell scripts fetches the AZORult loader, which downloads and executes another PowerShell script containing the stealer malware. The script uses reflective code loading, bypassing disk-based detection and minimizing artifacts. It avoids the detection by several host-based anti-malware products, such as Windows Defender, by using an AMSI bypass technique.

The malware copies an encoded payload from a compromised site rather than smuggling files inside the HTML code and uses trustworthy domains like Google to deceive the victim into believing the link is legitimate.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• mayanboats.com

MD5

• 29040db8da4799d5ce8e539be9d26ef0
• de9ac539a377e4fff611ca08073eeced
• 6b530c80a77c2f1ddbc399f05ed13c59
• c0f677a29c5f71d2c7766a45ae4329cf
• c32e590f5676fdb28a61df82fa9a6603
• 2f086cbcb711ffc5597341cca9e38854
• 336ad34a55b691355c579a09e196d93d
• 7b33a1c3deb68cfc25352c8a115dc36d

SHA-256

• 97c9caaaf7d3861e30d9ff647e952e880b670c5c3dca4537c515b38438ee18ee
• 52a0ca6fec42896245bb3b6a7caa876a44779c98102c5e28781cca46bfaf2ed9
• 55e283ee275e0367328013dc835cc63338defdcf5b6fe6cd74d6ce2c46af1981
• 350dae93066ddd84327e87f2bb784dfc0b70178629afd1fae298ee1376d42450
• 380f9784f4b3db7a711f48baaa2864161ad88b66eec79521011ab8e5871c387a
• 030b3d76a054d5a48cbb595d49e7e1cbc6dfdddbccd676f9642640f0429bd8c4
• e644d5ef63786fd6b732e8837bd7ff974b6c76b06ad9629ff6bf4fccef7ee6cb
• 18a72a5f52e9da32098cb60b38a3b07e311428bb379f1f6d438031337f855d95

SHA-1

• 656776083f48bcb5e3d511fda2c8fbda7edabc0c
• 02d43cc92ce09d883e0832897f36ce038bf54534
• 49e2102f7e58a97060f102b2e32ec71b45f58486
• e3319ce3809a8a703a4ec41ef438f0264d0ee6d7
• 9d78561603992742d38b451cb4955db1766efa9e
• c504265e7f161a7ad91908cdb0ab9e70992d7ed6
• 25ddbb205e487331055d2f8a456287c900ff2db3
• 84423e34be5662534893f9726435e93ecc9f04ff

URL

• http://195.123.220.40/index.php

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.