AZORult (Infostealer) – Malware

Overview

AZORult is a robust information stealer and downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan.

Azorult malware operates as an information-stealing threat, collecting data such as browsing history, cookies, login credentials, and cryptocurrency details. Additionally, it can function as a downloader for other malware families.

This malicious software was offered for sale on Russian underground forums and was specifically crafted to extract a variety of sensitive information from compromised computers. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft.

AZORult possesses the following capabilities:

Steals:

• System login credentials
• System reconnaissance info (GUID, system architecture and language, username and computer name, operating system version, system IP address
• Cryptocurrency wallets • Monero, uCoin, and bitcoin cryptocurrencies • Electrum, Electrum-LTC, Ethereum, Exodus, Jaxx and Mist wallets • Steam and Telegram credentials; Skype chat history and credentials
• Payment card numbers
• Cookies and other sensitive browser-based data (especially autofill)

Data Exfiltration/Communication:

•  Pushes to a command-and-control server.

Take screenshots Executes files via remote backdoor commands

Targets

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. This Trojan poses a serious threat to those whose computers may have been infected.

Techniques Used

Example attack: • Infection vector • Execution • Persistence • Reconnaissance • Exfiltration Azorult is a kind of Infostealer that accesses a C&C server to receive DLL files and commands used to leak information, and steals information such as user data files and account information to leak it to the server. Besides account information of web browsers and email clients, screenshots, cryptocurrency information, and files designated by the attacker with certain paths and extensions can be collected as well. Because downloaded commands support a feature to download additional malware, Azorult can also act as a downloader. Once all these processes are done, it deletes itself after leaking information and acting as a downloader, which makes it different from other types of malware. It does not support methods of operation after reboot such as registering a Run key. This means that the malware is deleted after simply leaking information instead of performing additional behaviors by receiving commands from the attacker while staying hidden. Of course, since it can download additional malware, it can act as a medium for other types of malware.

MITRE ATT&CK Techniques used by AZORult:

• T1134 Access Token Manipulation: AZORult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.
• T1503 Credentials from Web Browsers: AZORult can steal credentials from the victim’s browser.
• T1081 Credentials in Files: AZORult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.
• T1140 Deobfuscate/Decode Files or Information: AZORult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.
• T1083 File and Directory Discovery: AZORult can recursively search for files in folders and collects files from the desktop with certain extensions.
• T1107 File Deletion: AZORult can delete files from victim machines.
• T1057 Process Discovery: AZORult can collect a list of running processes by calling CreateToolhelp32Snapshot.
• T1093 Process Hollowing: AZORult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.
• T1012 Query Registry: AZORult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.
• T1105 Remote File Copy: AZORult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.
• T1113 Screen Capture: AZORult can capture screenshots of the victim’s machines.
• T1032 Standard Cryptographic Protocol: AZORult can encrypt C2 traffic using XOR.
• T1082 System Information Discovery: AZORult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.
• T1016 System Network Configuration Discovery: AZORult can collect host IP information from the victim’s machine.
• T1033 System Owner/User Discovery: AZORult can collect the username from the victim’s machine.
• T1124 System Time Discovery: AZORult can collect the time zone information from the system.

Significant Malware Campaigns

• Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan (July 2016)
• A campaign delivering thousands of messages targeting North America that used the new version of AZORult (July 2018)
• New AZORult campaign abuses popular VPN service to steal cryptocurrency (February 2020)
• Infostealer Malware Azorult Being Distributed Through Spam Mails (August 2021)
• Info-stealer Campaign targets German Car Dealerships and Manufacturers (May 2022)
• From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites (March 2024)

 

References:

• Sneaky Azorult Back in Action and Goes Undetected
• DISSECTING THE DESIGN AND VULNERABILITIES IN AZORULT C&C PANELS
• Sneaky Azorult Back in Action and Goes Undetected
• Analysis of a triple-encrypted AZORult downloader
• AZORULT Malware Information
• Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
• New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
• New AZORult campaign abuses popular VPN service to steal cryptocurrency
• Infostealer Malware Azorult Being Distributed Through Spam Mails
• Info-stealer Campaign targets German Car Dealerships and Manufacturers
• From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites