Specially-crafted ‘DHL express courier’ emails leveraged to distribute a variant of AZORult trojan

• The attack campaign is used against numerous Italian organizations and network users.
• The email comes attached with a compressed archive that contains dangerous executable scripts.

A new attack campaign that leverages fraudulent ‘DHL express courier’ emails to propagate a variant of AZORult trojan, has been spotted recently. The attack campaign is used against numerous Italian organizations and network users.

Modus Operandi

According to Cybaze-Yori ZLAB, the victims are sent phishing emails that go with subject lines such as ‘DHL Please receive your package’, ‘DHL Express Shipping Info’, ‘DHL shipping notification’ and ‘Update Information Delivery DHL’.

“Hereby Yoroi wishes to inform you about an ongoing attack campaign against numerous Italian organizations and network users. The attacks are manifested by fraudulent emails that simulate communications from the 'DHL express courier',” said Cybaze-Yori ZLAB in a blog post.

These emails come attached with a compressed archive that contains dangerous executable scripts. Once the malicious archive is opened by a targeted user, it downloads and runs a dangerous variant of the AZORult trojan.

Capabilities

After execution, the malware is capable of performing various nefarious activities such as stealing credentials and accounts saved in the web browser and mail clients in use. Apart from this, it also installs additional malicious payloads in the later stages of the attack.

It contacts two distinct servers, googodsgld[.]com and driverconnectsearch[.]info to receive further commands. The kind of behavior exhibited by the variant of AZORult is similar to that of Brushloader threat, a known dropper/stager written in VBScript. The dropper also contacts its remote infrastructures in a similar fashion.