Popular trojan is sneaking its way onto PCs via malspam campaign that uses three levels of encryption to sneak past cyber defenses.
A recent wave of AZORult-laced spam caught the attention of researchers who warn that malicious attachments associated with the campaign are using a novel obfuscation technique, in an attempt to slip past spam gateways and avoid client-side antivirus detection.
What makes this campaign unique is the use by threat actors of a triple-encrypted AZORult downloader being pushed by the otherwise non-descript malspam assault. AZORult is remote access trojan popular on Russian forums and most recently spotted last month in a spam campaign perpetrated by a hacker with an affinity toward
singer-songwriter Drake.
The malware-laced messages are “fairly uninteresting” and consist of a standard phishing hook, according to researcher Jan Kopriva,
contributing to the Internet Storm Center blog. However, he added, the attacker’s use of three layers of encryption could present a challenge for signature and heuristics-based detection tools.
“Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look like anything special at first glance. However, although it does use macros as one might expect, in the end, it turned out not to be the usual simple maldoc,” Kopriva wrote.
The infection chain starts with a typical phishing email asking for a “product list for January purchase,” for example. Attached to the email is what appears to be a Microsoft Office Word document (DOC), however the file type is actually a Rich Text File (RTF).
Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
Emotet malware now distributed in Microsoft OneNote files to evade defenses
