Azorult

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]

ID: S0344
Type: MALWARE
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.[1]

Enterprise T1503 Credentials from Web Browsers

Azorult can steal credentials from the victim's browser.[1]

Enterprise T1081 Credentials in Files

Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[1][2]

Enterprise T1083 File and Directory Discovery

Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.[1]

Enterprise T1107 File Deletion

Azorult can delete files from victim machines.[1]

Enterprise T1057 Process Discovery

Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.[1][2]

Enterprise T1093 Process Hollowing

Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.[1]

Enterprise T1012 Query Registry

Azorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.[1]

Enterprise T1105 Remote File Copy

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[1][2]

Enterprise T1113 Screen Capture

Azorult can capture screenshots of the victim’s machines.[1]

Enterprise T1032 Standard Cryptographic Protocol

Azorult can encrypt C2 traffic using XOR.[1][2]

Enterprise T1082 System Information Discovery

Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.[1][2]

Enterprise T1016 System Network Configuration Discovery

Azorult can collect host IP information from the victim’s machine.[1]

Enterprise T1033 System Owner/User Discovery

Azorult can collect the username from the victim’s machine.[1]

Enterprise T1124 System Time Discovery

Azorult can collect the time zone information from the system.[1][2]

References