AZORult is a banking and information stealing trojan associated with other malware such as Rammnit, Seamless and RiG.
Previously, AZORult has been distributed through intermediary malware such as downloaders or exploit kits. Newer versions, however, are distributed directly using malicious attachments in spam emails. These attachments use several techniques including macros and Dynamic Data Exchange exploits to deliver AZORult.
Once installed, AZORult will spawn a legitimate hollow process before injecting itself within the process to prevent detection. It will then send system data to a C2 server before monitoring any installed internet browsers for banking and cookie information. Newer variants of AZORult will also attempt to obtain Bitcoin wallet addresses, FTP or XMPP credentials and desktop files.
The malware searches for the following information and sends it to its C2 server:
- Saved passwords, such as those from browsers, email and FTP servers;
- Cookies from browsers and forms, including autofill;
- wallet.dat files from popular bitcoin clients;
- Skype message history;
- Files from chat history;
- Desktop files;
- Files with specified extensions from Desktop and files in folders;
- List of installed programs;
- List of running processes; and
- Username, computer name, and operating system type
Indicators of Compromise / C&C URL’s To Block
MD5 File Hashes
- Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.