Author: Christopher Kim
From 3 to 4 November, Infoblox observed fashion and beauty-themed malicious spam (malspam) campaigns that delivered AZORult information stealer (infostealer) via Microsoft Excel spreadsheets (XLS) with malicious macros. These spreadsheets used living off the land (LotL) techniques that abused preexisting software on the victim’s machine in order to perform malicious tasks.
The cybersecurity community first discovered AZORult infostealer in 2016.1 The malware is often bought and sold in Russian dark web forums due to its data-stealing capabilities, which include the following:
- System information (e.g. system language, operating system version, user name and computer name)
- Bitcoin wallets
- Chat software message history
- Email and banking credentials
- Account information from file management software (e.g. FTP clients)
- Browser passwords, cookies and history
AZORult can also serve as a trojan downloader for other malware payloads.2 Some versions of AZORult can even establish Remote Desktop Protocol (RDP) connections that allow the attacker to take complete control of the infected system.3
Earlier this year, malware campaigns used Coronavirus-themed lures to distribute this infostealer.4
The campaigns we observed used fashion and beauty-themed lures with subject lines referencing design patterns. These campaigns also used spoofed email addresses to impersonate legitimate manufacturing businesses based in Portugal and Spain, including health and beauty supplier Mundinter as well as fashion manufacturer Dario Beltran. The email template used for the spoofed Mundinter emails was notably similar to a template used by a recent Agent Tesla campaign.5 This type of similarity often occurs when different threat actors hire the same botnet to distribute malspam for both of their campaigns.
The emails contained brief and generic messages that encouraged recipients to open the malicious attachment (FEBEL_List.xls or Patterns.xls) and reply back for pricing information.
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.