AZORult: A deep dive into how the information-stealing malware works

• AZORult steals information such as saved passwords, files from chat history, cookies from browsers, skype message history and more.
• AZORult deploys other malware variants such as Seamless and Hawkeye to get into the compromised system, from which it can steal information and submit to its C2 server.

AZORult is a malware that harvests and steals information from a compromised system. The malware was originally identified by Proofpoint researchers in 2016, when it was distributed along with Chthonic banking trojan.

Modus Operandi

The malware is installed on compromised systems via first-stage malware variants such as Seamless or Hawkeye. Once the malware is installed and run on the other malware, it starts looking for the following sensitive information, steals them and sends to its C2 server.

• Username, computer name, and operating system type.
• Saved passwords from browsers, email and FTP servers.
• Cookies from browsers and forms, including autofill.
• Skype message history.
• Files from chat history.
• Desktop files.
• Files with specific extensions from Desktop.
• wallet.dat files from popular bitcoin clients.
• List of installed programs.
• List of running processes.

AZORult upgraded version 3.2

On July 17, 2018, AZORult was upgraded to version 3.2, enhancing its stealer and downloader functionality. The new AZORult version 3.2 features include:

• Added stealing of history from browsers (except IE and Edge).
• Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC.
• Improved loader - now supports unlimited links. In the admin panel, you can specify the rules for how the loader works.
• Ad-supported search results.
• Stealer can now use system proxies.
• Reduced load in the admin panel.
• Added to the admin panel a button for removing “dummies”, i.e. reports without useful information.

TA516 group used AZORult v3.2 to distribute Hermes ransomware

On July 18, 2018, a day after the new update was advertised on an underground forum, the malware was seen in a large email campaign. The malware pilfered from cryptocurrency wallets and harvested information such as machine ID, Windows version, computer name, and more. It was also used to distribute the Hermes ransomware.

Tactics, Techniques and Procedures (TTPs)

The TA516 group used the malware to distribute the Hermes ransomware via a phishing campaign targeting North America.

• The phishing emails posed as job applications and came with password-protected malicious documents. The victims were provided with the password in the email.
• The victims were also required to enable macros and download AZORult, which, in turn, dropped the Hermes ransomware.

AZORult upgraded version 3.3

On October 4, 2018, AZORult was upgraded to version 3.3 with new capabilities such as a new encryption method, cryptocurrency wallet stealer and more. The upgraded version was seen advertised on a dark web forum. The new version was distributed via the Rig exploit kit and other sources.

AZORult v3.3 new capabilities

• The new malware variant comes with enhanced cryptocurrency stealing abilities that allow it to pilfer BitcoinGold, electrumG, btcprivate, bitcore, and Exodus Eden.
• Enhancements were made to AZORult’s loader feature and antivirus detection evasion feature.
• The new version is loaded with a new encryption method to obfuscate the domain name.
• The new version also comes with a new encryption method and a new technique to connect to its C2 system.

The multiple versions of Azorult released reveal that the malware’s authors are highly active, constantly upgrading their malware periodically with new features and powerful capabilities. Researchers expect that AZORult’s developers may likely continue their onslaught of attacks and keep making improvements to the malware, to expand their scale of attacks.