Azorult

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Type
Stealer
Origin
ex-USSR
First seen
1 January, 2016
Last seen
26 January, 2023
Also known as
PuffStealer
Rultazo
Global rank
14
Week rank
31
Month rank
32
IOCs
70961

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed, and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades to the functions of both the stealer and the loader of the virus, additionally allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3. This strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing function.

General description of AZORult malware

A trojan type malware originated in one of the ex-USSR countries. AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history, and more.

Interestingly, to get into a machine, the virus, in some cases, requires secondary malware like HawkEye or Seamless. Notably, after every bit of useful data is obtained in campaigns with Hermes and Aurora, user files are encrypted, and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution, the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened, and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A kendriknk8523.exe file is then launched, which after a sleep create child process with same name;
  • A child process then proceeds to steal the personal data and connect to the CnC server.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN sandbox.

azorult execution process tree

Figure 1: Illustrates the life cycle of malware. Process tree generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that the attackers sent carried largely employment-related subjects and included an infected and password-protected resume file that triggered the download of the virus.

AZORult malware execution process

text report of the azorult malware analysis

Figure 2: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, the version of the stealer Trojan distributed in the July 2018 spam campaign was activated after unlocking a password-protected document. Since a password protected the document that was attached to the email, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed, with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed several malicious OLE objects into a document and executes arbitrary code on a machine, and even download any file from a remote server and execute it.

How to share your AZORult malware analysis with others?

If you want to share your virus analysis with others, you can create a text report and send it to anyone you want. Just click the "Text report" button. You can save it by using a printer icon in the upper-right corner of the report, or using your browser function by clicking the "Save page as..." or "Print..." buttons. You can also download or share other malware investigations, for example Adwind or Remcos. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking in the checkbox "Add for printing" on the right side of the sections. On the illustration below, the second section won't be included in the report.

text report for azorult Figure 3: Text report

Conclusion

AZORult remains to be a hazardous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangers than during the first days of its lifespan. Particularly, most recent versions of AZORult are distributed in bundles with ransomware and can steal cryptocurrency from the victims.

AZORult's distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. The interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

IOCs

IP addresses
5.79.66.145
185.178.208.147
172.67.223.149
172.67.200.47
172.67.129.116
193.151.89.76
185.215.113.89
136.144.41.124
194.31.98.183
84.38.129.36
45.133.1.48
77.222.40.29
172.67.172.226
111.90.156.65
103.226.221.161
172.67.222.223
46.30.40.104
103.83.81.17
185.42.12.131
45.147.197.20
Hashes
b3b28d0642198a5ecf9947016cd18825c51a56072f66ce288ddec67c8b18093a
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
a5bb96d731ef58cf17cc579578ab89c7c46f275982be8eb137ff64268dff1efc
1e909e0593ae1da84edafeaeb864c758072d5955e636384f6b60be29eab96d29
4b2be3ba56823593cb5269fa2e846e1341f934d793113447d92cfaa0637cb30b
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
a5b852c5971b527e6e924558aae75cb99e09be42620277c5db09add0bf8a3550
7d5ad71c70c992cd707f6cfcdbd5bbb7ea81e04c5c7ad8180b128a25eb19f5a9
416cd7d5a704475e99b5222c6887b52f7f67697ff9065e33f5c140d005d9682b
e555fe3baa7d282f00cdaccf6ce2820d9fdc6556f8f24d69971c30bf06bd3812
1b520e117dae79ccc96a3305ab1a96b0aadc516f0ba1711b32d8ae974312ac39
70d8d034297fe9822e7d37b5bf6114feea1ba13fe520e00f49824ff0f6035664
985a760a2ca73b7be63ec64d0a9fe92f8dfce83ffc27b1425ee046e914819ff3
4350e935a1151f5f7a571bae6e15bc964b19d6b091e591f446a96890f9767b33
0e86954f54e5ebf63a6be2a2caddeba8fd76535537641e24ef2de6bed9681db8
3c2144a1c54034430e55a5fd4d1bf545ca83d5c076ba3f2ce2a625f9c3a77b4b
67fb833118332800e4d405af430d23f9f89cce58a4427039a3360fc39960372e
53bfc00d98174bf63cd2784bb9f9ceea17cb39bbd6dcb0fe8eb348e0ed274e45
a4199c50760cfb6fda14d2404af2f3296d69cf1bd13785911f31f246ce7836d0
102e1faf847d864c477040faceaf143af7ad1c89f55a7b6093a7820b72f35ff5
Domains
api.rudderlabs.com
ads.donkeydeal.com
cloudflare.hcaptcha.com
www.testing.com
hosting.miarroba.info
extlinka.ru
fly-analytics.com
surl.li
vcctggqm3t.dattolocal.net
zefoy.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
cxociety.com
scripts.postie.com
0.pool.ntp.org
onedscolprdfrc01.francecentral.cloudapp.azure.com
bascif.com
handous.net
alfa-sentavra.at
adonis-medicine.at

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy