Azorult Malware Exploits Google Sites for Login Info Theft

1 min read


– Azorult malware campaign uses HTML smuggling via Google Sites to steal login credentials.

– Attackers deliver malicious JSON payload from an external website using reflective code loading and AMSI bypass.

A new evasive Azorult campaign has been identified that utilizes HTML smuggling to deliver a malicious JSON payload from an external website. This campaign targets the healthcare industry and aims to steal sensitive information, including login credentials, crypto wallet data, and browser information. The attackers exploit Google Sites for HTML smuggling attacks, embedding a base64-encoded payload within a separate JSON file hosted on a different domain. When victims visit the website, the malicious payload is downloaded onto their browsers without their knowledge. Reflective code loading and an AMSI bypass are used to evade detection by antivirus software. The Azorult malware, a .NET infostealer, steals sensitive user data such as credentials, browser data, and crypto wallet information. The stolen data is encrypted using Curve25519 cryptography and exfiltrated to the command and control server via HTTP. Sensitive documents are targeted based on file extensions and keywords, and the data is compressed, encrypted, and transmitted securely to the attacker. Overall, this campaign demonstrates the sophisticated techniques used by attackers to steal valuable information from their victims.

Previous Story

US EPA forms task force to safeguard water systems from cyberattacks

Next Story

UK’s cyber defenses struggle, more victims of attacks arise

Latest from News

US sanctions Kaspersky Lab for Russia ties

TLDR: The Biden administration announced sanctions against 12 executives and senior leaders of Kaspersky Lab, a Russia-based cybersecurity company. The Commerce Department banned Kaspersky