Azorult

AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Type
Stealer
Origin
ex-USSR
First seen
1 January, 2016
Last seen
10 July, 2020
Also known as
PuffStealer
Rultazo
Global rank
10
Week rank
8
Month rank
13
IOCs
11869

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades the functionality of both the stealer as well as to the loader of the virus, additionally, allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3, this strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing functionality.

General description of AZORult

A trojan type malware that originated in one of the ex-USSR countries, AZORult searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history and more.

Interestingly, to get into a machine the virus in some cases requires secondary malware like HawkEye or Seamless. Notably, In campaigns with Hermes and Aurora, after every bit of useful data is obtained user files are encrypted and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A 3.exe file is then launched which changes the autorun value in the registry. A malicious executable file then proceeds to make changes in the registry so that the system runs it at the system start;
  • A malicious executable file launches itself and then proceeds to steal the personal data and connect to the CnC server;
  • Then, a malicious executable file starts cmd.exe to delete itself after a 3-second timeout.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN

azorult execution process graph

Figure 1: Illustrates the life cycle of malware. Graph generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that were sent by the attackers carried largely employment-related subjects and included an infected and password protected resume file, that triggered the download of the virus.

AZORult execution process

Below is an illustration of the execution process created by the ANY.RUN interactive malware hunting service.

azorult execution process tree

Figure 2. AZORult execution process in ANY.RUN

text report of the azorult malware analysis

Figure 3: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, version of the stealer Trojan distributed in July 2018 spam campaign was activated after unlocking a password-protected document. Since the document that was attached to the email was protected by a password, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted, that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed a number of malicious OLE objects into a document and executes arbitrary code on a machine and even download any file from a remote server and execute it.

How to share your Azorult malware analysis with others?

If you want to share your analysis with others you can create a text report and send it to anyone you want to, just click the "Text report" button. You can save it using your browser functionality either by clicking "Save page as..." or "Print..." buttons. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking on the little printer icon on the left side of the sections. On the illustration below the first section with a grey colored button won't be included in the report but a section with a black colored printer button will be.

text report for azorult Figure 4: Azorult text report

Conclusion

AZORult remains to be a highly dangerous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangerous than during the first days of its lifespan. Particularly, most recent versions are distributed in bundles with ransomware and are able to steal cryptocurrency from the victims.

Its distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. Interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

IOCs

IP addresses
172.67.218.84
104.18.21.191
204.11.56.48
192.169.69.25
172.67.208.45
104.18.225.52
104.18.226.52
103.224.212.222
104.26.9.44
195.216.243.155
1.1.1.1
172.67.69.226
198.54.117.197
77.222.62.31
185.244.151.83
81.177.141.241
104.18.10.239
43.225.55.117
185.253.219.150
141.8.192.153
Hashes
fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4
ba2938968676e90a18175ba4a08c4451944c9d9d7406a320bb82e1c5bb742eb8
f591d2bd091408fe275c979d8564c98874582f53ad89361fe8f47b657a9eea2c
fba7b2621d51d96383b81b252bad0ff95b19d75dcd9ab023b2f331da99873156
beaf3f27e9c3a25f99be48406f87d3c620a14daa7d1e6e565fa5c80979367c27
d034f87e37172201bc31c55c41c8a39fb797489ec33977e035463b3be973f73d
e5a815ee2d9857e6b8477c44baef139dd1b0457fd0d7b1293c357eddc3d90c81
4f197c8bdfa89d2a0d041b47dabf307cba6c3deb639134357e0bfee3bf28645f
4b596d782915d44deed5882f59ebd83d0a72743006fc05ce02efe0c77e980b83
bf146b3adc3d552dd70efa594369cfe009dd12f9e95c909b6c2f9dd8ea77ac70
9952f99019a4a9c5224be57129bcd36d368af23e075d3e3009443de6e3f2570a
edeb28ce2d8a6d2cf44efff271c48f1eaef95bc9779f55f8f0fd50b06975f5e6
47013b9e378e8296bd7ded2726d4a71078f8fc58154b2bf6bbb41de414fbf3de
79f2b254bd2b0ee5901f27e679cf13e2019d80c66c647ca5833ad487431c3976
8518723fb7906a0c27cbec9e64f33798d2a29e27da2dfab7152fa9a2ad8da6e0
e093ff4debcc037ff6e52e9afd4e068ab6230932372fedbfc8cdddb0539bdd77
bcb69244dc69a152af4dca3849bb4f3ca634ad785926304c672dbf8a3c38e7bc
f8ef24b7014f3f4fe712309e9f8ee86f737ecef1c141cacec783907ac545215a
dcbd6522b7ba8bfb856038cf4dcb24782cab61a9e3ce15bbf9afcdff9c6c4f4a
7d3f6938fdefd881a85f810c9b60720b4bb6b6f8036f74e9661cb219a13757ee
Domains
proxylistchecker.org
txt.proxyspy.net
widgets-3-omni-iframe.livetex.me
www.artfut.com
shop.definitelykingsley.com
csrs-fers.com
isns.net
scca.duckdns.org
xxffornikationxz.duckdns.org
babyboyhammer2.duckdns.org
systemsupdated.duckdns.org
ufok.duckdns.org
isolationglobalcoronawardlockdownworldwi.duckdns.org
kenya1.duckdns.org
covidinternationalspreadsoomuchtruehead.duckdns.org
systemserverrootmapforfiletrn.duckdns.org
santoxpri.duckdns.org
investmenteducationkungykmtsdy8agender.duckdns.org
ikorodu.duckdns.org
d3c00.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files and demands a payment to restore access to lost information.
Read More