Azorult stealer is an infamous information stealer trojan, first discovered in 2016 and has been widely used by various Threat Actors (TAs) since then. Azorult stealer is well known for stealing different system information, such as browser history, cookies, ID/Passwords, cryptocurrency information, etc. The Azorult stealer is sold on Russian cybercrime forums, and TAs can buy the stealer binaries and use them in their cyber-attack campaigns.
TAs drop Azorult using various infection vectors, including phishing emails, pirated software, malicious documents, etc. TAs may often lure victims by using Key Generator (KeyGen) programs. After execution, these keygen programs drop various malware into the system, in this case – the Azroult stealer.
Figure 1 shows the execution flow of Azorult stealer malware. Azorult drops itself in the “TEMP” folder and runs itself using WScript and VB script. After execution, the stealer sends a unique system ID to the Command-and-Control (C&C) server. In response, the C&C sends configuration details and supports DLL files. Azorult then extracts the data from the system and uploads this data to C&C. The stealer then deletes extracted data, support DLLs and stealer file.
Technical Analysis
After the initial infection, the multi-stage loader drops the final payload of the Azorult stealer. Azorult file is a .NET-based 32-bit Graphical User Interface (GUI) executable masquerading as the official Telegram Desktop Application. Figure 2 shows the static information of the Azorult stealer.
Upon execution, Azorult copies itself in the “C:\Users\MalWorkstation\AppData\Local\Temp\” folder as Xzegdxbuoconsoleapp3.exe. WScript.exe runs Xzegdxbuoconsoleapp3.exe from the Temp folder using VB Script. Figure 3 shows the VBScript code for executing Xzegdxbuoconsoleapp3.exe.
Figure 4 shows the execution flow of Xzegdxbuoconsoleapp3.exe using WScript.exe.
Azorult file contains a “Resources” folder which has an encrypted file Srpccwbxdhrzif, used for defense evasion. Figure 5 shows the Resource folder and the raw encrypted data.
Azorult source code reveals Srpccwbxdhrzif file is encrypted using Triple-DES Encryption Algorithm. Attackers use the Triple-DES algorithm with ECB Cipher mode and PKCS7 padding for encryption. The code snippet showing the routine for decrypting the Srpccwbxdhrzif is shown below.
The main malware also contains a decryption key hardcoded into itself, as shown in Figure 7.
Azorult decrypts the file Srpccwbxdhrzif in memory as Srpccwbxdhrzif.dll. Figure 8 shows the Srpccwbxdhrzif.dll in the memory.
Srpccwbxdhrzif.dll is a 32-bit .NET-based DLL file. Figure 9 shows static details of the Srpccwbxdhrzif.dll.
The DLL Srpccwbxdhrzif.dll contains the code for communication with the C&C server.
Azorult masquerades as a legitimate application to avoid suspicion. In this particular case, it masquerades as the Telegram desktop application. While running, multiple activities are performed by the Azorult stealer. Figure 10 shows the process tree of the execution of Azorult.
Upon execution, Azorult sends a unique identification code to C&C from the infected computer using a HTTP POST request. Azorult sends unique identification code as an index.php file to C&C domain – Milsom[.]ac[.]ug. Multiple C&C server addresses are hardcoded into the malware. Figure 11 shows the packet details of the initial C&C communication.
In response, the C&C sends additional data and in base64 encoded configuration string to Azorult stealer. The contents of the index.php.htm are shown in Figure 12.
There are multiple URLs hardcoded into the malware. Figure 13 shows the DNS requests made from the Azorult stealer.
The configuration data contains the below details, which the stealer uses to perform further actions.
| Configuration | Description |
| Browser Path | Various paths from which stealers can extract sensitive details. |
| Crypto Wallet | Crypto Wallet details for extraction |
After execution, Xzegdxbuoconsoleapp3.exe downloads the supported DLL files for information stealing from C&C. These DLL files are genuine component files of various software applications such as browsers. Figure 14 shows the request and response for downloading DLL file softokn3.dll.
Additional supporting DLLs downloaded from the C&C are listed below:
- freebl3.dll
- mozglue.dll
- msvcp140.dll
- nss3.dll
- softokn3.dll
- sqlite3.dll
- vcruntime140.dll
Figure 15 shows the downloaded DLLs used by the Xzegdxbuoconsoleapp3.exe process.
Upon execution, Xzegdxbuoconsoleapp3.exe exfiltrates the data from the systems and stores it into C:/ProgramData folder. This folder contains browser autofill data, cookies data, passwords, screenshots, and system information-related data of the victim’s system, as shown in Figure 16.
Figure 17 shows the contents of system.txt, which contains the system information including hardware, domain, language, and software installed into the system.
Figure 18 shows the captured POST request created by the stealer, which contains the exfiltrated data compressed into a zip fil. In our analysis, the zip file was named _5514573629.zip.
After exfiltration of the data, Xzegdxbuoconsoleapp3.exe runs cmd.exe for killing itself, deleting the folder _5514573629, and exits. Figure 19 shows the details of the process killing the Xzegdxbuoconsoleapp3 process and deleting the folder.
| “C:\Windows\System32\cmd.exe” /c taskkill /pid 3260 & erase C:\Users\MalWorkstation\AppData\Local\Temp\Xzegdxbuoconsoleapp3.exe & RD /S /Q C:\\ProgramData\\551457362933425\\* & exit |
Conclusion
Azorult stealer is used for stealing custom information from victims’ systems including credentials, cookies, browser data, and cryptocurrency wallets, etc. In this campaign, the TA is using keygen software and phishing emails to deliver the Azorult stealer payload.
The TAs behind Azorult have used multiple methods to extract the targeted victim’s crucial data. The victims can range from organizations to general users.
Cyble Research Labs will continuously monitor emerging threats and targeted cyber-attacks.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Defence Evasion | T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion |
| Credential Access | T1555 T1552 T1539 |
Credentials from Password Stores Unsecured Credentials Steal Web Session Cookie |
| Discovery | T1518 T1082 |
Software Discovery System Information Discovery |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 720ae9355ab33d0a10059da07c7af1722b5c53daa94950e8d5f01ba330951efb | SHA-256 | Azorult Stealer |
| a1d765c68a5cddc84dbf51767232c8eb0c3284cf0443671a6ada80ee10db70a7 | SHA-256 | Azorult Stealer |
| 2ee579a9f9ebf574254c0da0f2a45fbff896e7864e3b40f95f826943e6f0213b | SHA-256 | Azorult Stealer |
| 8f7f529578b7a3d53f001f5130b0ba9e450f936c1309395cba875acdce5b77c3 | SHA-256 | Azorult Stealer |
| 03f36ba5d0b98fab3b67c14041448b31ab255c6f73a9e04791a11af40be5bc0f | SHA-256 | Azorult Stealer |
| Rebrand[.]ly | C&C | C&C URL |
| Marketprice[.]pk | C&C | C&C URL |
| Matisaas[.]ac[.]ug | C&C | C&C URL |
| Mantata[.]ac[.]ug | C&C | C&C URL |
| Playwell[.]ug | C&C | C&C URL |
| Wellplayed[.]ug | C&C | C&C URL |
| Marcyovcx[.]ru | C&C | C&C URL |
| Milsom[.]ac[.]ug | C&C | C&C URL |
| Scarsa[.]ac[.]ug | C&C | C&C URL |
| 185.215.113[.]77 | IP | C&C IP |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
