AZORult

AZORult is a trojan malware that harvests and exfiltrates data from the compromised system. It is installed on a system via a first-stage malware, such as Seamless. The malware searches for the following information and sends it to its C2 server:

  • Saved passwords, such as those from browsers, email and FTP servers;

  • Cookies from browsers and forms, including autofill;

  • wallet.dat files from popular bitcoin clients;

  • Skype message history;

  • Files from chat history;

  • Desktop files;

  • Files with specified extensions from Desktop and files in folders;

  • List of installed programs;

  • List of running processes; and

  • Username, computer name, and operating system type.

In July 2018, AZORult was substantially updateded, improving both on its stealer and downloader functionality. It was immediately seen in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. The advertisement for AZORult version 3.2 notes the following updates:

  • Added stealing of history from browsers (except IE and Edge).

  • Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC.

  • Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works.

  • Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly.

Reporting and Technical Details

  • Threatstop provides technical details here.

  • January 2018: AZORult is being delivered via the RIG EK and Ramnit trojan. (Malware-Traffic-Analysis)

  • July 2018: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. (Proofpoint)

  • November 2018: New Azorult variants were being used as primary payloads in a new ongoing campaign using the Fallout exploit kit. (Palo Alto Networks)

  • July 2019: A new campaign has been observed targeting gamers looking for a game-hack or cheat. A YouTube user has created numerous videos and free downloadable game-hacks that contain the AZORult DLL. Once the inject is executed, various data will be exfiltrated and sent back to the threat actor. The collected data includes browser and FTP passwords, as well as browser history. (Bleeping Computer)

Trojan VariantsNJCCICazorult