AZORult is a trojan malware that harvests and exfiltrates data from the compromised system. It is installed on a system via a first-stage malware, such as Seamless. The malware searches for the following information and sends it to its C2 server:

  • Saved passwords, such as those from browsers, email and FTP servers;

  • Cookies from browsers and forms, including autofill;

  • wallet.dat files from popular bitcoin clients;

  • Skype message history;

  • Files from chat history;

  • Desktop files;

  • Files with specified extensions from Desktop and files in folders;

  • List of installed programs;

  • List of running processes; and

  • Username, computer name, and operating system type.

In July 2018, AZORult was substantially updateded, improving both on its stealer and downloader functionality. It was immediately seen in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. The advertisement for AZORult version 3.2 notes the following updates:

  • Added stealing of history from browsers (except IE and Edge).

  • Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC.

  • Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works.

  • Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly.

Reporting and Technical Details

  • Threatstop provides technical details here.

  • January 2018: AZORult is being delivered via the RIG EK and Ramnit trojan. (Malware-Traffic-Analysis)

  • July 2018: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. (Proofpoint)

  • November 2018: New Azorult variants were being used as primary payloads in a new ongoing campaign using the Fallout exploit kit. (Palo Alto Networks)

Trojan VariantsNJCCICazorult