AZORult

AZORult is a trojan malware that harvests and exfiltrates data from the compromised system. It is installed on a system via a first-stage malware, such as Seamless. The malware searches for the following information and sends it to its C2 server:

• Saved passwords, such as those from browsers, email and FTP servers;

• Cookies from browsers and forms, including autofill;

• wallet.dat files from popular bitcoin clients;

• Skype message history;

• Files from chat history;

• Desktop files;

• Files with specified extensions from Desktop and files in folders;

• List of installed programs;

• List of running processes; and

• Username, computer name, and operating system type.

In July 2018, AZORult was substantially updateded, improving both on its stealer and downloader functionality. It was immediately seen in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. The advertisement for AZORult version 3.2 notes the following updates:

• Added stealing of history from browsers (except IE and Edge).

• Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC.

• Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works.

• Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly.

Reporting and Technical Details

• Threatstop provides technical details here.

• January 2018: AZORult is being delivered via the RIG EK and Ramnit trojan. (Malware-Traffic-Analysis)

• July 2018: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. (Proofpoint)

• November 2018: New Azorult variants were being used as primary payloads in a new ongoing campaign using the Fallout exploit kit. (Palo Alto Networks)