By NewsBlogger Cybersecurity researchers have discovered a new malware campaign utilizing Google Sites and HTML smuggling to distribute AZORult, a data-stealing malware with no specific threat actor identified, while also highlighting the importance of API security in modern digital environments.
At a glance
- Cybersecurity researchers uncover new malware campaigns using bogus Google Sites pages.
- AZORult malware is an information stealer distributed through phishing and malvertising.
- The latest attack involves counterfeit Google Docs pages using HTML smuggling.
- Threat actors also disseminating Agent Tesla and XWorm through malicious SVG files.
- API security plays a crucial role in digital modernization, with the financial sector being a primary target
The details
Cybersecurity researchers have recently uncovered a new malware campaign that utilizes bogus Google Sites pages and HTML smuggling to distribute the AZORult malware.
This phishing campaign has not been linked to any specific threat actor or group.
AZORult is an information stealer that was first identified in 2016 and is commonly distributed through phishing, malspam campaigns, trojanized installers, and malvertising.
It is capable of extracting credentials, cookies, browsing history, screenshots, and data from cryptocurrency wallets.
The latest attack involves the creation of counterfeit Google Docs pages on Google Sites using HTML smuggling to deliver the payload.
HTML smuggling is a technique that leverages legitimate HTML5 and JavaScript features to launch malware.
To enhance protection against URL scanners, the AZORult campaign now incorporates a CAPTCHA barrier.
The malicious payload is disguised as a Windows shortcut file masquerading as a PDF bank statement.
The execution of PowerShell scripts is employed to retrieve and run the AZORult loader and stealer malware.
Threat actors have employed reflective code loading and AMSI bypass techniques to evade detection.
In addition to the AZORult campaign, threat actors have also been observed disseminating Agent Tesla and XWorm through malicious SVG files.
Phishing campaigns have utilized shortcut files to propagate LokiBot, while malicious shortcut files have been identified as deploying AutoIt-based malware.
Specifically targeting users in Latin America, cybercriminals are sending booby-trapped emails impersonating Colombian government agencies.
Shifting the focus to the realm of API security, it is crucial to recognize the pivotal role APIs play in digital modernization by facilitating data exchange between applications and databases.
In 2023, the majority of internet traffic (71%) comprised API calls, with the average enterprise site experiencing 1.5 billion API calls.
Despite these figures, APIs are frequently rushed into production without proper cataloging, authentication, or auditing.
Organizations, on average, maintain 613 API endpoints in production, making them a prime target for cybercriminals due to their direct access to sensitive data.
The financial sector, particularly banking and online retail, reported the highest volumes of API calls in 2023. Financial services were also the primary target of API-related attacks during this period.
Account takeover (ATO) attacks aimed at API endpoints accounted for nearly half (45.8%) of all ATO attacks in 2023. These attacks can lock customers out of their accounts, compromise sensitive data, lead to revenue loss, and elevate non-compliance risks.
Global businesses suffer annual losses of up to $75 billion due to API-related security incidents.
Approximately one in ten APIs is vulnerable to attack due to incorrect deprecation, inadequate monitoring, or insufficient authentication controls.
Imperva has identified three common types of mismanaged API endpoints: shadow, deprecated, and unauthenticated APIs.
To mitigate security risks, organizations are advised to conduct regular audits to identify unmonitored or unauthenticated API endpoints and implement continuous monitoring to detect exploitation attempts.
Developers should prioritize regularly updating and upgrading APIs to replace deprecated endpoints with more secure alternatives.
Imperva offers recommendations to enhance API security practices for organizations seeking to bolster their API security posture.
Article X-ray
Sources
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – Cybersecurity researchers have discovered a new malware campaign using bogus Google Sites pages and HTML smuggling to distribute AZORult malware |
| – The phishing campaign has not been attributed to a specific threat actor or group – AZORult is an information stealer first detected in 2016, distributed via phishing, malspam campaigns, trojanized installers, and malvertising – AZORult can gather credentials, cookies, history from web browsers, screenshots, and data from cryptocurrency wallets – The latest attack involves creating counterfeit Google Docs pages on Google Sites using HTML smuggling to deliver the payload – HTML smuggling is a technique using legitimate HTML5 and JavaScript features to launch malware |
| – The AZORult campaign adds a CAPTCHA barrier for additional protection against URL scanners |
| – The downloaded file is a Windows shortcut file masquerading as a PDF bank statement – PowerShell scripts are used to fetch and execute the AZORult loader and stealer malware – The campaign uses reflective code loading and AMSI bypass technique to evade detection – Threat actors have used malicious SVG files to disseminate Agent Tesla and XWorm – Phishing campaigns have been observed using shortcut files to propagate LokiBot – Malicious shortcut files have been found to deploy AutoIt-based malware – Users in Latin America are being targeted with booby-trapped emails impersonating Colombian government agencies |
| thehackernews.com |
|---|
| – APIs are the connective tissue behind digital modernization, facilitating data exchange between applications and databases – The majority of internet traffic in 2023 (71%) was API calls – A typical enterprise site saw an average of 1.5 billion API calls in 2023 – Despite best efforts, APIs are often pushed into production before being cataloged, authenticated, or audited – Organizations have an average of 613 API endpoints in production – APIs are a common attack vector for cybercriminals due to their direct access to sensitive data – API-related security incidents cost global businesses up to $75 billion annually – Banking and online retail reported the highest volumes of API calls in 2023 – Financial services, including banking, were the leading target of API-related attacks in 2023 – Account takeover (ATO) attacks targeting API endpoints accounted for nearly half (45.8%) of all ATO attacks in 2023 – ATO attacks can lock customers out of their accounts, provide criminals with sensitive data, contribute to revenue loss, and increase non-compliance risk – Nearly one out of every 10 APIs is vulnerable to attack due to incorrect deprecation, lack of monitoring, or insufficient authentication controls – Imperva identified three common types of mismanaged API endpoints: shadow, deprecated, and unauthenticated APIs – Regular audits to identify unmonitored or unauthenticated API endpoints are recommended to mitigate security risks – Continuous monitoring can help detect attempts to exploit vulnerabilities associated with API endpoints – Developers should regularly update and upgrade APIs to replace deprecated endpoints with more secure alternatives – Imperva offers recommendations to help organizations improve their API security posture |
