Summary
The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also act as a downloader of other malware. It was sold on Russian underground forums to collect various types of sensitive information from an infected computer. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection.
Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are now the major infection vectors of the AZORult malware. Other malware families such as Ramnit and Emotet also download AZORult. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to command and control (C&C) servers of attacker to send and receive information.
Behaviors
- Steals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version
- Steals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software
- Steals stored email credentials of different mail clients
- Steals user names, passwords, and hostnames from different browsers
- Steals bitcoin wallets - Monero and uCoin
- Steals Steam and telegram credentials
- Steals Skype chat history and messages
- Executes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file
Capabilities
- Information Theft
- Backdoor commands
- Exploits
- Download Routine
Impact
- Compromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares
- Violation of user privacy - gathers and steals user credentials of various applications
Infection Chain
Sample Spam - Shipping Inquiry Spam
Detection Coverage
Anti-spam
| Detection/Policy/Rules | Release Date |
|---|
| AS Pattern 4888 | September 4, 2019 |
Web Reputation
| Detection/Policy/Rules | Release Date |
|---|
|
URL Protection
|
In the Cloud
|
ATSE
| Pattern Version | Release Date |
|---|
|
15.343.00
|
September 3, 2019
|
Predictive Machine Learning
| Detection | Release Date |
|---|
|
Troj.Win32.TRX.XXPE50FFF031
|
In the Cloud
|
File Detection (VSAPI)
| Detection | Release Date |
|---|
|
ENT OPR 15.343.00
|
September 3, 2019
|
Network Pattern
| Detection | Release Date |
|---|
|
NCCP 1.13747.00
|
July 12, 2019
|
|
NCIP 1.13817.00
|
July 12, 2019
|
Solution Map – What should customers do?
| Trend Micro Solution | Major Product | Latest Version | Virus Pattern | Anti-Spam Pattern | Network Pattern | Predictive Machine Learning | Web Reputation |
|---|
Endpoint Security | ApexOne | 2019 |
Update pattern via web console |
Not Applicable | Update pattern via web console |
Not Applicable |
Enable Web Reputation Service and update pattern via web console |
| OfficeScan | XG (12.0) |
Not Applicable |
Worry-Free Business Security | Standard (10.0) |
| Advanced (10.0) | Update pattern via web console |
| Hybrid Cloud Security | Deep Security | 12.0 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 |
Update pattern via web console |
Update pattern via web console | Update pattern via web console |
Not Applicable |
Enable Web Reputation Service and update pattern via web console |
| InterScan Messaging Security | 9.1 |
Not Applicable |
| InterScan Web Security | 6.5 |
| ScanMail for Microsoft Exchange | 14.0 |
| Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendation
Make sure to always use the latest pattern available to detect the old and new variants of AZORULT malware.
Threat Report
