Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

March 18, 2024 at 08:45AM

A new malware campaign using bogus Google Sites and HTML smuggling to distribute the AZORult malware for information theft has been discovered by cybersecurity researchers. The campaign employs stealthy tactics to bypass security controls, with findings revealing similar techniques used in recent phishing campaigns to disseminate other malware like Agent Tesla and LokiBot.

Based on the provided meeting notes, the following key takeaways can be summarized:

– Cybersecurity researchers have uncovered a new malware campaign utilizing HTML smuggling and rogue Google Sites to distribute a commercial malware known as AZORult, designed to steal sensitive information and credentials from compromised devices.
– The phishing campaign, which has not been attributed to a specific threat actor or group, is described as widespread and aims to collect and sell sensitive data in underground forums.
– The AZORult malware, also referred to as PuffStealer and Ruzalto, was first detected around 2016 and is typically distributed through phishing, malspam campaigns, trojanized installers, and malvertising.
– The latest attack activity involves the creation of counterfeit Google Docs pages on Google Sites, leveraging HTML smuggling to deliver the malicious payload, and utilizing a disguised CAPTCHA barrier for added protection against URL scanners.
– The malware campaign employs a shortcut file masquerading as a PDF bank statement to initiate a series of actions, ultimately deploying the AZORult infostealer through PowerShell scripts, reflective code loading, and AMSI bypass techniques.
– Other observed malicious activities include the use of malicious SVG files, archive files, and malicious shortcut files in phishing campaigns targeting users, with specific instances of targeting Latin American users through impersonation of Colombian government agencies to distribute remote access trojans like AsyncRAT, njRAT, and Remcos.

This summary highlights the evolving tactics of threat actors in disseminating malware and underscores the importance of heightened vigilance and robust cybersecurity measures to safeguard against such attacks.

Full Article