Phishing emails are received by victims which have subject lines reading, “DHL Please receive your package,” “DHL Express Shipping Info,” “DHL shipping notification” and “Update Information Delivery DHL.” Within the emails is a compressed archive containing executable scripts. Once the archive has been opened by the unsuspecting user, the AZORult variant downloads and runs accordingly. Once it begins, the variant can steal accounts and other credentials from the victim’s web browser. Two servers are contacted, googodsgld[.]com and driverconnectsearch[.]info in request of other commands. This is a resemblance of Brushloader threats which is a dropper/loader written is VBScript. At this time, the variant has only been seen targeting Italian organizations and networks.
Analyst Notes
When a message from an unknown sender arrives, it is important to look at what the email is requesting. If it asks for personal information, has a suspicious address, is poorly written, has an unlabeled attachment, or has a demanding message, it would be on the safe side to verify the legitimacy of the email. If it is determined that the email is a part of a phishing attack, no attachments should be opened and the message should be deleted immediately.
