Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016.In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers | |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[1][2] |
|
| Enterprise | T1113 | 屏幕捕获 |
Azorult can capture screenshots of the victim’s machines.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.[1] |
|
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.[1] |
| Enterprise | T1012 | 查询注册表 |
Azorult can check for installed software on the system under the Registry key |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Azorult can collect the username from the victim’s machine.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
Azorult can collect the time zone information from the system.[1][2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Azorult can collect host IP information from the victim’s machine.[1] |
|
| Enterprise | T1134 | .002 | 访问令牌操控: Create Process with Token |
Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.[1] |
| Enterprise | T1105 | 输入工具传输 |
Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[1][2] |
|
| Enterprise | T1057 | 进程发现 |
Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.[1][2] |
|
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.[1] |
Groups That Use This Software
References
- Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
- Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.