AZORult

AZORult is a trojan malware that harvests and exfiltrates data from the compromised system. It is installed on a system via a first-stage malware, such as Seamless. The malware searches for the following information and sends it to its C2 server:

  • Saved passwords, such as those from browsers, email and FTP servers;
  • Cookies from browsers and forms, including autofill;
  • wallet.dat files from popular bitcoin clients;
  • Skype message history;
  • Files from chat history;
  • Desktop files;
  • Files with specified extensions from Desktop and files in folders;
  • List of installed programs;
  • List of running processes; and
  • Username, computer name, and operating system type.

In July 2018, AZORult was substantially updateded, improving both on its stealer and downloader functionality. It was immediately seen in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. The advertisement for AZORult version 3.2 notes the following updates:

  • Added stealing of history from browsers (except IE and Edge).
  • Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC.
  • Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works.
  • Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly.

Reporting and Technical Details

  • Threatstop provides technical details here.
  • January 2018: AZORult is being delivered via the RIG EK and Ramnit trojan. (Malware-Traffic-Analysis)
  • July 2018: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. (Proofpoint)

 

Trojan VariantsNJCCICazorult