AZORult Information Stealer Trojan

AZORult is a banking and information stealing trojan associated with other malware such as Rammnit, Seamless and RiG.

Previously, AZORult has been distributed through intermediary malware such as downloaders or exploit kits. Newer versions, however, are distributed directly using malicious attachments in spam emails. These attachments use several techniques including macros and Dynamic Data Exchange exploits to deliver AZORult.

Once installed, AZORult will spawn a legitimate hollow process before injecting itself within the process to prevent detection. It will then send system data to a C2 server before monitoring any installed internet browsers for banking and cookie information. Newer variants of AZORult will also attempt to obtain Bitcoin wallet addresses, FTP or XMPP credentials and desktop files.

The malware searches for the following information and sends it to its C2 server:

  • Saved passwords, such as those from browsers, email and FTP servers;
  • Cookies from browsers and forms, including autofill;
  • wallet.dat files from popular bitcoin clients;
  • Skype message history;
  • Files from chat history;
  • Desktop files;
  • Files with specified extensions from Desktop and files in folders;
  • List of installed programs;
  • List of running processes; and
  • Username, computer name, and operating system type
Most Infected Countries or Regions – 18th July 2018



Indicators of Compromise / C&C URL’s To Block

URLs/IPs

    • kosovo.duckdns.org/file/index[.]php

    Kosovo.duckdns[.]org
    aksuperstorecom/fh8nzhme/gate[.]php
    aksuperstore[.]com
    ip-api[.]com/json
    ad.icab.pk
    209.99.16.206
    sijuki.com
    103.28.15.220
    43.255.154.108
    202.74.239.252
    5.101.152.175
    185.224.137.39
    185.224.137.10
    153.92.6.45
    stronghx.beget.tech
    217.107.219.81

    MD5 File Hashes

    • 5829b77898d5acff0b0fbd87deb6b9cb
    • 48a801a908d44f1770d19f5569663f98
    • 5829b77898d5acff0b0fbd87deb6b9cb
    • 305c699a84ad3fe04ca083ad499d32b3
    • 05763c6632fcaaad57ba632788aa5a34

    Files

    • au3_exe.exe
    • cartwheels.dll
    • chrom.exe
    • Reveille.cab
    • FWLosDEdtZ.exe

    Affected Platforms

      • Microsoft Windows – All versions




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: