Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

AZORULT Malware Information

    • Updated:
    • 9 Sep 2019
    • Product/Version:
    • Apex One
    • Deep Discovery Email Inspector
    • Deep Discovery Inspector
    • Deep Security
    • InterScan Messaging Security Suite
    • Interscan Web Security Virtual Appliance
    • OfficeScan
    • ScanMail for Exchange
    • Worry-Free Business Security Advanced
    • Platform:
    • N/A
Summary

The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also act as a downloader of other malware. It was sold on Russian underground forums to collect various types of sensitive information from an infected computer. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection.

Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are now the major infection vectors of the AZORult malware. Other malware families such as Ramnit and Emotet also download AZORult. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to command and control (C&C) servers of attacker to send and receive information.

Behaviors

  • Steals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version
  • Steals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software
  • Steals stored email credentials of different mail clients
  • Steals user names, passwords, and hostnames from different browsers
  • Steals bitcoin wallets - Monero and uCoin
  • Steals Steam and telegram credentials
  • Steals Skype chat history and messages
  • Executes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file

Capabilities

  • Information Theft
  • Backdoor commands
  • Exploits
  • Download Routine

Impact

  • Compromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares
  • Violation of user privacy - gathers and steals user credentials of various applications

Infection Chain

Sample Spam - Shipping Inquiry Spam

Detection Coverage

Anti-spam

Detection/Policy/RulesRelease Date
AS Pattern 4888September 4, 2019

Web Reputation

Detection/Policy/RulesRelease Date
URL Protection
In the Cloud

ATSE

Pattern VersionRelease Date
15.343.00
September 3, 2019

Predictive Machine Learning

DetectionRelease Date
Troj.Win32.TRX.XXPE50FFF031
In the Cloud

File Detection (VSAPI)

DetectionRelease Date
ENT OPR 15.343.00
September 3, 2019

Network Pattern

DetectionRelease Date
NCCP 1.13747.00
July 12, 2019
NCIP 1.13817.00
July 12, 2019
Details
Public

Solution Map – What should customers do?

Trend Micro SolutionMajor ProductLatest VersionVirus PatternAnti-Spam PatternNetwork PatternPredictive Machine LearningWeb Reputation




Endpoint Security
ApexOne2019



Update pattern via web console



Not Applicable
Update pattern via web console





Not Applicable




Enable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)


Not Applicable

Worry-Free Business Security
Standard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableEnable Web Reputation Service and update pattern via web console





Email and Gateway Security
Deep Discovery Email Inspector3.5




Update pattern via web console





Update pattern via web console
Update pattern via web console




Not Applicable




Enable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1


Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14.0
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of AZORULT malware.

Threat Report

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000146108
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.