Azorult

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Type
Stealer
Origin
ex-USSR
First seen
1 January, 2016
Last seen
22 October, 2021
Also known as
PuffStealer
Rultazo
Global rank
11
Week rank
20
Month rank
17
IOCs
17764

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed, and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomware were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades to the functions of both the stealer and the loader of the virus, additionally allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3. This strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing function.

General description of AZORult malware

A trojan type malware originated in one of the ex-USSR countries. AZORult searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history, and more.

Interestingly, to get into a machine, the virus, in some cases, requires secondary malware like HawkEye or Seamless. Notably, after every bit of useful data is obtained in campaigns with Hermes and Aurora, user files are encrypted, and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution, the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened, and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A 3.exe file is then launched, which changes the autorun value in the registry. A malicious executable file then proceeds to make changes in the registry so that the system runs it at the system start;
  • A malicious executable file launches itself and then proceeds to steal the personal data and connect to the CnC server;
  • Then, a malicious executable file starts cmd.exe to delete itself after a 3-second timeout.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN sandbox.

azorult execution process graph

Figure 1: Illustrates the life cycle of malware. Graph generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that the attackers sent carried largely employment-related subjects and included an infected and password-protected resume file that triggered the download of the virus.

AZORult malware execution process

Below is an illustration of the execution process created by the ANY.RUN interactive malware hunting service for analysis.

azorult execution process tree

Figure 2. AZORult execution process in ANY.RUN

text report of the azorult malware analysis

Figure 3: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, the version of the stealer Trojan distributed in the July 2018 spam campaign was activated after unlocking a password-protected document. Since a password protected the document that was attached to the email, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed, with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed several malicious OLE objects into a document and executes arbitrary code on a machine, and even download any file from a remote server and execute it.

How to share your Azorult malware analysis with others?

If you want to share your analysis with others, you can create a text report and send it to anyone you want. Just click the "Text report" button. You can save it using your browser function by clicking the "Save page as..." or "Print..." buttons. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking on the little printer icon on the left side of the sections. On the illustration below, the first section with a grey-colored button won't be included in the report. However, you can see a section with a black-colored printer button there.

text report for azorult Figure 4: Azorult text report

Conclusion

AZORult remains to be a hazardous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangers than during the first days of its lifespan. Particularly, most recent versions are distributed in bundles with ransomware and can steal cryptocurrency from the victims.

Its distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. The interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

IOCs

IP addresses
35.205.61.67
141.8.192.151
185.178.208.147
104.18.225.52
104.18.226.52
204.11.56.48
104.18.21.191
141.8.193.236
185.22.155.59
66.254.114.41
143.204.98.88
5.144.130.32
172.67.69.226
103.21.59.27
192.187.111.222
64.190.62.111
143.204.98.126
195.216.243.155
1.1.1.1
192.169.69.26
Hashes
58c0b3141d67f967cb229079845100362bcdbd72b9711a829df91a82e6e6f5e9
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb
3e721837117606db7be98fadbcf5845454cf30bed5781a1b18585c645c2c064b
7ebbd92f07d9c8fe82dc72c0a875085dca39ff438533736b769c3eedbe1637bf
e473349aa6cb86e5c6bf574872912cc2d3e2d2f0eb86dc304c3be22248c03a2b
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
ef30a9611553f396b7d391760523fca54f0618f03d442278e034dc149f39e227
7580b583ccf57526e5a5ca40651ec5a95abe64b77a7c223f037443e480fbe185
760d1df67b31599e46ae064d183e44f511acfa7c2d5f6241fe96bf6e484e7dab
4055d4161b8835874a001a7a1dfe2f4eb68b00d4eb446b2f0c10e5805bf99adc
489380affd51e49fc0b55acd39e790fd769e808959415bcb4f8a2110eb11dd7c
0b8dd43b217b3cc309e35f459e6a0e011b65ba70492e7b5a566584815c312727
fa7607fe08f0cc262ff4500613d08fdfabe6a0b072cf7d9fcc886a204164fac1
60c3f88e80bd7604779b3653fe2bc26ecde37dc1177d7528c43c3fe843d0d5c6
bf4e272f99c86266c6fd70b4a23152612ff0c77ff634bbf48d61d85abd6afe0c
60bf55c622f01b6d0796fe3415226d66f8650a9ec5c5aff515777f9c3ac107eb
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5
735d4133a6cafafb214a0a9e566b04a0b5c06a28ad2887c9856230c938b65f86
1d87746dfce6e0260c8c08b5d1d85ecbe200be70fa0e2dcb4effd37c47dce94d
86548bfd3c48266d62e40bbd438707beb0b1fd85cbadb31b14e5af066531c609
Domains
pro2-bar-s3-cdn-cf.myportfolio.com
pro2-bar-s3-cdn-cf4.myportfolio.com
measurements-api.wonderpush.com
isns.net
bulkbacklinks.com
u1219246ucr.ha004.t.justns.ru
portales-barncochile-cl.club
smtp.portales-barncochile-cl.club
abobagames.tech
u1130836aym.ha004.t.justns.ru
movil-ruralvia.uno
avis-cooperativoruralvia.u1188236o7l.ha004.t.justns.ru
u1185526nup.ha004.t.justns.ru
escort.net.ru
tracking-moc-gov-kw.justns.ru
tracking-moc-gov-kw.justns.ru
delivered-tracking.saudi-post.u1142306der.ha004.t.justns.ru
u1131666b3j.ha004.t.justns.ru
post-saudi.tracking-packages.u10992664u4.ha004.t.justns.ru
u1048085rao.ha004.t.justns.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dharma screenshot
Dharma
dharma ransomware
Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
Read More