Rewterz Informative Update – Phishing, Vishing, Baiting, Smishing – What is happening?
June 4, 2021Rewterz Threat Advisory – CVE-2021-32641 – Node.js auth0-lock module cross-site scripting
June 5, 2021Rewterz Informative Update – Phishing, Vishing, Baiting, Smishing – What is happening?
June 4, 2021Rewterz Threat Advisory – CVE-2021-32641 – Node.js auth0-lock module cross-site scripting
June 5, 2021Severity
Medium
Analysis Summary
AZORult is a payment card and credential information stealer. It was sold on Russian underground forums as a means to collect sensitive information from infected systems. The malware is also able to steal cookies, browsing history, cryptocurrency, and ID/passwords. Exploits such as phishing emails and Fallout Exploit Kit (EK) paired with social engineering techniques are major infection vectors of the AZORult malware.The malware can also be used as a loader to download other malware.
Impact
- Information theft
- Credential theft
- Exposure of sensitive data
Indicators of Compromise
URL
- http[:]//34[.]88[.]140[.]135//l/f/z1Wr1XkBuI_ccNKoiREn/26fc962ca3d92b1ee2ad7570f733d1def899382a
- http[:]//34[.]88[.]140[.]135//l/f/z1Wr1XkBuI_ccNKoiREn/29722bc29c2054dba7495bc9fa4a735727abe9dc
- http[:]//myfidlerpro[.]ug/asdfg[.]exe
- http[:]//myfidlerpro[.]ug/zxcvb[.]exe
- http[:]//veronikaa[.]ac[.]ug/
- http[:]//veronikaa[.]ac[.]ug/main[.]php
- http[:]//veronikaa[.]ac[.]ug/msvcp140[.]dll
- http[:]//veronika[.]ac[.]ug/index[.]php
- http[:]//veronikaa[.]ac[.]ug/nss3[.]dll
Remediation
- Block all threat indicators at their respective controls.
- Look for IOCs in your environment.