Rewterz Threat Alert –AZORult Stealer Malware Resurfaces and Evades Detection While Using Email Phishing – Active IOCs

Severity

High

Analysis Summary

Cybersecurity analysts have discovered that the eight-year-old stealer malware named AZORult has returned to the cyber landscape. It steals information and harvests sensitive data and was first seen in 2016, but the malware has been down since 2021 until now.

This malware became infamous back in the day, especially during its notable campaigns where it was paired together with STOP/DJVU ransomware. AZORult specializes in stealing sensitive information like cookies, browsing history, and credentials. Since it is malware from the mid-10s, it doesn’t include some of the modern functionalities like stealing crypto wallets or session and 2FA tokens as these weren’t valuable back then.

The latest version that emerged uses more stealthy and sophisticated methods that make it difficult to detect. It uses a new infection chain and utilizes the RAM to deploy and execute the whole payload. Researchers have also found shortcut files that pretend to be PDF files, but when opened, lead to AZORult infecting the system. It uses the classic email phishing method for distribution.

AZORult is also capable of downloading and executing additional payloads that increase its threat to infected devices. The latest variant leverages process injection and living-off-the-land (LotL) techniques to avoid being detected by security software. The malware and the data stolen using it are mainly sold on Russian dark web forums. Additionally, the malware can capture data for a service that sells read-made virtual identities, including detailed data about users’ online behavior, operating system information, web history, installed plugins, and browser information.

Interestingly, experts discovered that 90% of all digital footprints that were found on the infamous Genesis Market were linked to AZORult. In February 2020, Google Chrome released an update that enforced the use of AES-256 for password encryption, highly affecting AZORult’s ability to harvest passwords from Chrome.

The new variant comes as a .link file masquerading as a PDF document using double extension tricks. A file named “citibank_statement_dec_2023.lnk” starts a sequence of events that downloads and executes a JavaScript file from a remote server, which then downloads two PowerShell scripts. One of them fetches an executable file and starts a new thread to execute the injected code. If the system language is set to Russian, the loader file terminates showing that it could be the region of its developers. The final payload is the AZORult Infostealer.

The malware creates a unique identifier for the targeted user and starts collecting system information and crypto wallets. The execution is terminated if specific conditions are met, like the presence of a file called “password.txt” on the Desktop. It also checks for certain usernames and machine names on the system and, if any of the checks return true, the binary terminates. The malware captures screenshots and targets various applications, compresses the stolen data, encrypts it, and sends it to a remote server.

It is important to be wary of phishing emails, especially from unknown sources. Be cautious of clicking on links or downloading attachments. Before clicking on any links in an email, verify the sender’s email address and make sure that it is legitimate. Human error is mostly the cause of malware infection, so it is recommended to stay vigilant and updated about various phishing-based scams.

Impact

• Sensitive Information Theft
• Data Exfiltration
• Identity Theft

Indicators of Compromise

Domain Name

nrgtik.mx

MD5

• a647fd01215b0a86246007f36b7832f6
• 84d45c0ce97155ca8eb16980dca11215
• c798c2fa8da58fc07210969ea5136977
• f05df7c16d8c236fab6ee2b2a1997ce5
• 274945641a4f798a13bddec960a82670
• bc0523db21c69a68ba3e7bfc4711f969
• b4127347d3d08d1a466289b2071e81e7
• 16eedcc3da8cc730941c9a2f4adaaf7a
• 27ca5b7ab4fa5053761347cda6c5c923
• 1d2d48cdf0805192afa82c98252ab5d3
• 72ea03e510a67b4fc05aea2820c88280
• 735ad0b79ceaa614e465e62d8f3d4455
• 6c5d40687a6b5cacf90f43799c62e7b8
• ac64471cc8eb90b31f91a81398502e87
• 93f91815cf0bfee78b13f4a79d683151
• 67a69b58f31f30eafdbba927c07d4b76

SHA-256

• 778b230b696e5ddb3a1063c939a60449f24d6f5bac91ac76e2c1e4dc24a20836
• 37a76a6009092eebcfe08efe479cdde6f8d0cf6fd9ea2ce023e0c6a43d56693a
• fd2b8640d3d05d80e769529883196fee8cc2c68d80416b7ee7b037cde5c3a877
• ace2a7812874a84b32590f440f9c4d9d99567e12cb86f0ba598e5e65aa4948c0
• 30ab6f1db490a46fb8f1643ca97194988676498baf1ae4e124352f6cc1108568
• fd64e712eac0c7d5fdec9a1f47c1f384a67a181c13e3e98ff40ee122e9ff8347
• 464a917b631b2a583025bdce274ba6f314fe30822cfa400301b924daf38e8a8c
• 518d8bc5fa3f5ef09792aca8c78bed5c762e8a4e6a45f44cae974264cb5d0652
• 7ca5e9e3033f7913657dce0b85520ec3384ae6653235af093ac2a6e442791225
• e6354942792174245b72ccfc53c1af0082ff09b239dcb138bcb79c2d9e2665c5
• 5c324e6671cefb63bd1b2c64adf2cef42daec7cb5179e18966b7719508ed314b
• e0e8ff864814e3a9f21f13c49ae139ba4bc89f0d519fed3d3b7ee3c5053cde30
• 1a8cfda57d60852c1604ca179f1483edbc652f9486072878e4dab4b413dda321
• 465c34bdaee28c628b9639ca77c6a190c5fc400ba735a498d0689f1da747a341
• b4ccb27acf65da46693be6987b890f2f19481ec1824f2c3017493245fe9ed4aa
• 386661e445f65f30b0a68f264f1393a722ba90d3f3491ae57af7745e18cb13c8

SHA-1

• b2bc65b0c792fc4ef32fc7c1d399f9f47ef15bd1
• 897309fbe2028ebb2ac40cdf83fefc72dafe8632
• e11ff82d2e3db02ab4a450dcafbb38fd184c977f
• c907067a207eb47eca8bdca81c18caddee133ff5
• d61ef316cc5b8ec477fcfd8a2a677f53b79c6e0f
• 8308433cb92810bcd6f220e7b6083c778e00fe12
• 49c7bf64cf331e5269a5fce351188b9ce6167571
• c62df841320132fc0196101305ad6337c4d0e31e
• bba6ec0bf8fc454daa61c577d1813394dd6b6d1f
• 119c6b9667e0c0c5204fc587b36f195d62c4c788
• 52e34e60664da8634cafc1f6bae8f33332772f3e
• 0d31b18630252c1ce69c7d52453e77ba72f1f668
• b393759a1a54dcd2aa1f60249e129a4f5f8c84ef
• 14aff6d9b16fa39799041c9f0741e5a2a1194888
• 567c7e0144223a84a72a60a7f20996decc2feb76
• e7f1d6c4239a90ef1ea6cee83a7174c2657318db

URL

• https://nrgtik.mx/wp-content/uploads/wp-content.php
• https://nrgtik.mx/wp-content/uploads/agent1.ps1
• https://nrgtik.mx/wp-content/uploads/agent3.ps1
• https://nrgtik.mx/wp-content/uploads/helper.exe
• https://nrgtik.mx/wp-content/uploads/sd2.ps1
• https://nrgtik.mx/wp-content/uploads/sd4.ps1
• http://45.90.58.1/index.php?id=$guid&subid=c4gQX595

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.