New phishing strategies: malware evolves with Google Sites
Sophisticated cyber attack tactics: the use of Google Sites and advanced techniques in latest phishing scheme
Researchers have discovered a malware campaign that uses fake Google Sites pages to spread AZORult, an information-stealing malware. It uses advanced techniques to avoid detection, aiming to steal sensitive data.
Cybersecurity researchers have identified a sophisticated malware campaign that leverages fake Google Sites pages to distribute commercial malware known as AZORult, aimed at stealing information. This particular technique involves the malicious payload being encapsulated in a JSON file hosted on an external site. The orchestrated phishing has not been linked to a specific group, but is recognized for its wide reach and aimed at collecting sensitive data to sell on dark web forums.
Features and distribution techniques of AZORult
AZORult, also identified as PuffStealer and Ruzalto, is an information theft tool that first appeared in 2016. It is typically spread via phishing, contaminated installers of pirated software or media, and malvertising. Once installed, it is capable of stealing credentials, cookies, browser history, screenshots and documents with specific extensions, as well as data from 137 cryptocurrency wallets. Evasion techniques include loads of reflective code, minimizing traces and avoiding disk-based detection.
HTML smuggling as a vehicle for malware
The campaign uses HTML smuggling, a sophisticated tactic that abuses the legitimate functionality of HTML5 and JavaScript to assemble and launch malware, "smuggling" an encoded malicious script. When a user is tricked into opening the scam page via a phishing email, the browser decodes the script and delivers the payload to the victim's device, thus evading standard security checks that only scan suspicious attachments.
Emerging trends and recent case studies
This tactic also takes advantage of a CAPTCHA obstacle to add a veil of legitimacy and protect yourself from URL scanners. Recent findings highlight the use of malicious SVG files to spread other malware families, such as Agent Tesla and XWorm, with the help of open-source programs that facilitate the creation of bootleg HTML or SVG files. Phishing campaigns have also been noted using LNK files within archives to propagate LokiBot, a malware similar to AZORult in its data collection capabilities.
Follow us on Instagram for more pills like this03/18/2024 13:06
Marco Verro