Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

AZORult (Infostealer) – Malware

March 19, 2024
Reading Time: 6 mins read
in Malware
AZORult (Infostealer) – Malware

AZORULT

Additional Names

PuffStealer, Rultazo

Type of Malware

Trojan Horse / Infostealer

Country of Origin

Russia

Date of initial activity

2016

Associated Groups

The Gorgon Group, TA505

Motivation

It is designed to gather diverse data, including browsing history, cookies, login credentials, and cryptocurrency details.

Attack vectors

Common: Exploit Kits (especially Fallout Exploit Kit, Other malware that acts as a dropper, Ramnit, Emotet, Phishing, Malspam, Infected websites, Malvertisements, Fake installers.

On occasion: .iso file, Remote Desktop Protocol (RDP) exploitation

Targeted systems

Windows and Linux

Overview

AZORult is a robust information stealer and downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan.

Azorult malware operates as an information-stealing threat, collecting data such as browsing history, cookies, login credentials, and cryptocurrency details. Additionally, it can function as a downloader for other malware families.

This malicious software was offered for sale on Russian underground forums and was specifically crafted to extract a variety of sensitive information from compromised computers. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft.

AZORult possesses the following capabilities:
Steals:
  • System login credentials
  • System reconnaissance info (GUID, system architecture and language, username and computer name, operating system version, system IP address
  • Cryptocurrency wallets • Monero, uCoin, and bitcoin cryptocurrencies • Electrum, Electrum-LTC, Ethereum, Exodus, Jaxx and Mist wallets • Steam and Telegram credentials; Skype chat history and credentials
  • Payment card numbers
  • Cookies and other sensitive browser-based data (especially autofill)
Data Exfiltration/Communication:
  •  Pushes to a command-and-control server.
Take screenshots Executes files via remote backdoor commands

Targets

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. This Trojan poses a serious threat to those whose computers may have been infected.

Techniques Used

Example attack: • Infection vector • Execution • Persistence • Reconnaissance • Exfiltration Azorult is a kind of Infostealer that accesses a C&C server to receive DLL files and commands used to leak information, and steals information such as user data files and account information to leak it to the server. Besides account information of web browsers and email clients, screenshots, cryptocurrency information, and files designated by the attacker with certain paths and extensions can be collected as well. Because downloaded commands support a feature to download additional malware, Azorult can also act as a downloader. Once all these processes are done, it deletes itself after leaking information and acting as a downloader, which makes it different from other types of malware. It does not support methods of operation after reboot such as registering a Run key. This means that the malware is deleted after simply leaking information instead of performing additional behaviors by receiving commands from the attacker while staying hidden. Of course, since it can download additional malware, it can act as a medium for other types of malware.

MITRE ATT&CK Techniques used by AZORult:

  • T1134 Access Token Manipulation: AZORult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.
  • T1503 Credentials from Web Browsers: AZORult can steal credentials from the victim’s browser.
  • T1081 Credentials in Files: AZORult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.
  • T1140 Deobfuscate/Decode Files or Information: AZORult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.
  • T1083 File and Directory Discovery: AZORult can recursively search for files in folders and collects files from the desktop with certain extensions.
  • T1107 File Deletion: AZORult can delete files from victim machines.
  • T1057 Process Discovery: AZORult can collect a list of running processes by calling CreateToolhelp32Snapshot.
  • T1093 Process Hollowing: AZORult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.
  • T1012 Query Registry: AZORult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.
  • T1105 Remote File Copy: AZORult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.
  • T1113 Screen Capture: AZORult can capture screenshots of the victim’s machines.
  • T1032 Standard Cryptographic Protocol: AZORult can encrypt C2 traffic using XOR.
  • T1082 System Information Discovery: AZORult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.
  • T1016 System Network Configuration Discovery: AZORult can collect host IP information from the victim’s machine.
  • T1033 System Owner/User Discovery: AZORult can collect the username from the victim’s machine.
  • T1124 System Time Discovery: AZORult can collect the time zone information from the system.

Significant Malware Campaigns

  • Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan (July 2016)
  • A campaign delivering thousands of messages targeting North America that used the new version of AZORult (July 2018)
  • New AZORult campaign abuses popular VPN service to steal cryptocurrency (February 2020)
  • Infostealer Malware Azorult Being Distributed Through Spam Mails (August 2021)
  • Info-stealer Campaign targets German Car Dealerships and Manufacturers (May 2022)
  • From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites (March 2024)
 
References:
  • Sneaky Azorult Back in Action and Goes Undetected
  • DISSECTING THE DESIGN AND VULNERABILITIES IN AZORULT C&C PANELS
  • Sneaky Azorult Back in Action and Goes Undetected
  • Analysis of a triple-encrypted AZORult downloader
  • AZORULT Malware Information
  • Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
  • New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
  • New AZORult campaign abuses popular VPN service to steal cryptocurrency
  • Infostealer Malware Azorult Being Distributed Through Spam Mails
  • Info-stealer Campaign targets German Car Dealerships and Manufacturers
  • From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites
 
Tags: AZORultCryptocurrenciesCybersecurityDroppersInfostealersMalwarePuffStealerRATRemote Access TrojansRultazo
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Winos 4.0 Malware Hits Taiwan Via Tax Phish

New Amatera Stealer Delivered By ClearFake

New Godfather Trojan Hijacks Banking Apps

Fake Minecraft Mods On GitHub Spread Malware

Fake Invoices Deliver Sorillus RAT In Europe

Russian Phishing Scam Bypasses Google 2FA

Subscribe to our newsletter

    Latest Incidents

    Massive Leak Exposes 16 Billion Credentials

    Tonga Health System Down After Ransomware

    Chinese Spies Target Satellite Giant Viasat

    German Dealer Leymann Hacked Closes Stores

    Hacker Mints $27M From Meta Pool Gets 132K

    UBS and Pictet Hit By Vendor Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial