Azorult

AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Type
Stealer
Origin
ex-USSR
First seen
1 January, 2016
Last seen
18 January, 2020
Also known as
PuffStealer
Rultazo
Global rank
9
Week rank
6
Month rank
6
IOCs
5328

What is AZORult malware?

AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.

AZORult stealer was discovered, analyzed and documented for the first time on July 26, 2016, by Proofpoint researchers. At the time, the virus was distributed together with another trojan called Chthonic. However, subsequent spam email campaigns started distributing AZORult as the main payload while Hermes and Aurora ransomwares were added as additional payloads. A new strain of the stealer Trojan was documented In July 2018. The analysis revealed that it brought several upgrades the functionality of both the stealer as well as to the loader of the virus, additionally, allowing to distribute AZORult with the RIG exploit kit. The latest recorded version of the malware is v3.3, this strain was first documented in October 2018. Most notably, this strain updated a way of encrypting the C&C domain string and improved crypto-stealing functionality.

General description of AZORult

A trojan type malware that originated in one of the ex-USSR countries, AZORult searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s bank account data. AZORult can steal cookies, browser autofill information, desktop files, chat history and more.

Interestingly, to get into a machine the virus in some cases requires secondary malware like HawkEye or Seamless. Notably, In campaigns with Hermes and Aurora, after every bit of useful data is obtained user files are encrypted and a ransom is requested to restore the lost data.

One of the interesting features of AZORult is that after execution the malware is removed from the system due to the lack of a persistence mechanism.

Malware analysis of AZORult

ANY.RUN displays the execution process of AZORult in an interactive virtual environment. As shown by the sandbox simulation, the virus launches the following process during its execution:

  • Firstly, a Microsoft Office file opened and WINWORD.EXE with enable macros is executed;
  • The malware runs EQNEDT32.EXE and downloads a malicious executable through the exploitation of the CVE-2017-11882 Microsoft Office Equation Editor vulnerability;
  • A 3.exe file is then launched which changes the autorun value in the registry. A malicious executable file then proceeds to make changes in the registry so that the system runs it at the system start;
  • A malicious executable file launches itself and then proceeds to steal the personal data and connect to the CnC server;
  • Then, a malicious executable file starts cmd.exe to delete itself after a 3-second timeout.

The execution process of AZORult can be viewed in more detail in the video provided by ANY.RUN

azorult execution process graph

Figure 1: Illustrates the life cycle of malware. Graph generated by ANY.RUN

How to avoid infection by AZORult?

AZORult is distributed mainly using spam email campaigns or via the RIG exploit kit. Notably, a major AZORult distribution campaign was observed on July 18, 2018, targeting North America.

Spam emails that were sent by the attackers carried largely employment-related subjects and included an infected and password protected resume file, that triggered the download of the virus.

AZORult execution process

Below is an illustration of the execution process created by the ANY.RUN interactive malware hunting service.

azorult execution process tree

Figure 2. AZORult execution process in ANY.RUN

text report of the azorult malware analysis

Figure 3: A text report generated by ANY.RUN

AZORult stealer uses a clever technique to trick various antivirus engines. Particularly, version of the stealer Trojan distributed in July 2018 spam campaign was activated after unlocking a password protected document. Since the document that was attached to the email was protected by a password, antiviruses had not been able to scan it and determine whether it was malicious or not. For the virus to become active, the victim had to unlock and enable macros for the document. In this particular campaign, the malware was distributed with two payloads embedded in the main binary. Both payloads were dropped to the disk and executed with the first executable payload being the information gatherer – AZORult itself and then the secondary ransomware.

It should be noted, that in aforecited ANY.RUN simulation AZORult uses an exploit when a Microsoft Office file is opened, allowing to embed a number of malicious OLE objects into a document and executes arbitrary code on a machine and even download any file from a remote server and execute it.

How to share your Azorult malware analysis with others?

If you want to share your analysis with others you can create a text report and send it to anyone you want to, just click the "Text report" button. You can save it using your browser functionality either by clicking "Save page as..." or "Print..." buttons. Note that you can choose that information section in your report you want to print or save into a file using the "Print..." button by clicking on the little printer icon on the left side of the sections. On the illustration below the first section with a grey colored button won't be included in the report but a section with a black colored printer button will be.

text report for azorult Figure 4: Azorult text report

Conclusion

AZORult remains to be a highly dangerous trojan. The stealer Trojan has been upgraded throughout its lifespan and currently poses even more dangerous than during the first days of its lifespan. Particularly, most recent versions are distributed in bundles with ransomware and are able to steal cryptocurrency from the victims.

Its distribution in clever email campaigns makes becoming a victim of the stealer Trojan by accident relatively easy. Interactive sandbox analysis provided by services like ANY.RUN is a great way to learn more about the threat and greatly increase cybersecurity.

IOCs

IP addresses
162.241.29.97
141.8.192.151
23.106.160.1
81.177.135.12
198.54.117.197
204.11.56.48
185.53.179.7
192.169.69.25
45.58.121.194
198.23.137.126
69.172.200.235
104.18.33.241
104.28.28.13
185.104.45.104
1.1.1.1
178.208.83.9
188.40.73.26
51.15.54.27
5.79.66.145
216.170.114.11
Hashes
cb3e7f4039be955450a2bfb8444c659cc360780581d2b10ffac03897768ddd72
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
62bdfa505e9bb895c55aa1eae36e7a20096817d8c09c3ecfd61c4b12f07c788a
1dc7af344f9f992a9b2dd87f2b11c816e1e10d19c7e63bb692301315f8bb9fca
57d4690625f3d0722055afa0344fd4cded3bbe2007f02ba979824971955eb869
37601bc743a8362960cac0b332143565abada97a221fcb15893cf2a58f207a41
e8e3cfb6717b3d1a7a7afea15a3fc6865dbfd086068a625042fea95d93150f2c
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
7b96ed04417e4fd075c703822f31b03f9af722ef297de306abd49bc0612fc7ae
80c6d4797803a9ad5f25fc64bc77ba184cb00601326252684a43a0b29eb05d2d
906e1b6c1833c0e39b0a31c18c547becd4ed17583fef1409fe2e1a2307e94e96
dc8f6293ce865e97f3a4161de8dff5f447a9f877965e25f2a1f3afd3a1a19b6c
f894be92efcc67195d4d77fe78ece31c75fc0344036a70d7a58f7f1480396f40
a34afec4fdb9705a3f06710f9698b57f2acc7d2baf7e0734c2cf49cf460980fe
1c7fce31614106542563d7c862f3da5caa89fc319b04e77f3cdf688911c4e1b7
4bb8666de65a523109f13db3352c70401a3094171e8ab0d70091991deb538156
37aa79a5166dfc3e4b24f7a9734587c94835b292bcfc4920648be867ea948e70
9030146bb26411170a0aaba587db960dae56f38a7376661599402fc25a36394f
2cc3adea931a008ad0d224500209b8999f0eb0172c2cd79cec2edc0bcc16e6b3
47f738e05e61ff2cc562e9057a83faf78bc1cf866dacc6bcbee84bc2aff2e8d4
Domains
molmarsl.com
f0232447.xsph.ru
f0231035.xsph.ru
f0241996.xsph.ru
f0262579.xsph.ru
f0240138.xsph.ru
f0236061.xsph.ru
f0269025.xsph.ru
f0276370.xsph.ru
f0277191.xsph.ru
f0281089.xsph.ru
f0272269.xsph.ru
f0281648.xsph.ru
f0290845.xsph.ru
f0288533.xsph.ru
f0288912.xsph.ru
f0278114.xsph.ru
f0289264.xsph.ru
f0299151.xsph.ru
f0299890.xsph.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is one of the most dangerous banking Trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
Read More