Azorult

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

  • Type
    Stealer
  • Origin
    ex-USSR
  • First seen
    1 January, 2016
  • Last seen
    22 November, 2019
Global rank
9
Week rank
14
Month rank
15
IOCs
4793

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult was discovered, analyzed and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomwares were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades the functionality of both the stealer as well as to the loader of the virus, additionally, allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3, this strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing functionality.

General description of AZORult

A trojan type malware that originated in one of the ex-USSR countries, AZORult searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history and more.

Interestingly, to get into a machine the virus in some cases requires secondary malware like HawkEye or Seamless. Notably, In campaigns with Hermes and Aurora, after every bit of useful data is obtained user files are encrypted and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A 3.exe file is then launched which changes the autorun value in the registry. A malicious executable file then proceeds to make changes in the registry so that the system runs it at the system start;
  • A malicious executable file launches itself and then proceeds to steal the personal data and connect to the CnC server;
  • Then, a malicious executable file starts cmd.exe to delete itself after a 3-second timeout.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN

azorult execution process graph

Figure 1: Illustrates the life cycle of malware. Graph generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that were sent by the attackers carried largely employment-related subjects and included an infected and password protected resume file, that triggered the download of the virus.

AZORult execution process

Below is an illustration of the execution process created by the ANY.RUN interactive malware hunting service.

azorult execution process tree

Figure 2. AZORult execution process in ANY.RUN

text report of the azorult malware analysis

Figure 3: A text report generated by ANY.RUN

AZORult uses a clever technique to trick various antivirus engines. Particularly, version of the stealer Trojan distributed in July 2018 spam campaign was activated after unlocking a password protected document. Since the document that was attached to the email was protected by a password, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted, that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed a number of malicious OLE objects into a document and executes arbitrary code on a machine and even download any file from a remote server and execute it.

How to share your Azorult malware analysis with others?

If you want to share your analysis with others you can create a text report and send it to anyone you want to, just click the "Text report" button. You can save it using your browser functionality either by clicking "Save page as..." or "Print..." buttons. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking on the little printer icon on the left side of the sections. On the illustration below the first section with a grey colored button won't be included in the report but a section with a black colored printer button will be.

text report for azorult Figure 4: Azorult text report

Conclusion

AZORult remains to be a highly dangerous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangerous than during the first days of its lifespan. Particularly, most recent versions are distributed in bundles with ransomware and are able to steal cryptocurrency from the victims.

Its distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. Interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

IOCs

IP addresses
163.172.149.249
34.69.165.224
5.101.152.232
104.168.65.2
104.168.65.2
23.111.184.119
192.169.69.25
77.222.40.139
204.11.56.48
185.53.179.7
199.188.200.46
198.54.117.197
77.222.62.180
162.215.253.14
176.57.209.92
43.225.55.117
162.221.190.147
160.153.129.219
116.251.204.217
104.28.1.37
Hashes
7a7dda298b9607217bdedf4b3a6905878c9aa6475ca748951245418602dacd30
16862873f9da14bbb1396a6808677d038cf310a5060d2f02cea70738aef2a40b
5331bcca00117bd6624804e227cbb356c4b245e7aa396fbcfe0e17ee9aa4841d
1e36c27f861d5702ae9d43840dc8725596eebb0b9a8f782cbeb17dcd5b6c664c
7c7d01dba43861be42bb968d73d7a5051460179718a4631efb23a9f6fc56db59
136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
14109a5d54d2c1f74698dbb3eee6ea24d8196f4dbcac7e2a4b8df50a99fe7ce8
f841b9ae4b94d7a55070295324cd3d29209b8bd037dd0bfc65d57398f2b24fde
8e8a0a25b513c64b2ef3180469e2c2c6b3e26a376cf0714e15a0723cee68965d
61df0094b829c2121251cf00bea0a7d648579aa91240ba346257f82abf704338
8f697959e9b212071708064fdac9e4fc4f637cbbbee105b21cf1dfa87a706c50
6adbfaf2913d9c7c643ce8daf1e3ca84ba3c2eb7cedb565a0adb8117b9dcf0bc
dfc3129484c12d49f316a006091fc1ee63d89af8f63d68fa6ec7c6c46de1c9ae
49e4127a3b79e7f02d77610a0c69e72c8477b33b8cb1950285f6ad0b6b1b74fa
50291a93f359f2be22fb2b282be3ab5780ee4f09141386380e1d8d3961e393b7
b992daf6d3e124250c618bad7ca6b3581d7d4e786474f0dd184da57cef04284c
7d261836cda152890fe4154c45c3adaa0e0b3425c197db6920a58215adb0d66e
435ef24786c4ed5d1726e85112ce0b7da4e4d3ed449edf16999004a8dac2cb64
d2ccc56ff621ef2c4fe1fa98865fb7d8ee0634f7cdd8e4e0fdd09c93bc1f3fee
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
Domains
isns.net
lagungroen.com
riovista.co.za
img.5656mylove.com
img.5656mylove.com
westtrytbidc.ga
www.mindprivilege.com
assets.novalymedia.com
dogepay.pro
ww1.gmai.com
ww7.getproxy.jp
h1.ripway.com
www.sharebutton.co
www.ibayme.eb2a.com
www.searchfusion.info
ww1.googloe.com
ww25.sharebutton.co
12065.bodis.com
ww25.madmax.stuffpicks.com
ww25.stats.stuffpicks.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More
FlawedAmmyy screenshot
FlawedAmmyy
flawedammyy trojan rat
FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.
Read More