T1105kaspersky.com

AZORultMalwareOVERALLCLASSIFICATIONISTLP:WHITETLP:WHITE04/16/2020Report#:202004161000AgendaIntroductionAttackvectorsFunctionalityoverviewMappingagainsttheMITREATT&CKFrameworkInfectionandCompromiseOriginationofAttacksFakeCoronavirusmapTripleEncryptionPersistenceIntrusionDetectionRules/SignaturesMitigationpracticesIndicatorsofCompromiseReferencesQuestions4/16/20202Non-Technical:managerial,strategicandhigh-level(generalaudience)Technical:Tactical/IOCs;requiringin-depthknowledge(sysadmins,IRT)SlidesKey:TLP:WHITEImagesource:NJCCICIntroductionAZORult–WhatisitMalware–InformationstealerandcryptocurrencytheftInitiallydetectedin2016whendroppedbytheChthonicbankingtrojanLatestversion:3.
2;UsedtotargetWindowsAKAPuffStealer,RuzaltoEasytooperate(userfriendly)Verycommon;SoldonRussianhackerforumsfor~$100Canbothbedroppedorserveasadropper(firstorsecondstage)Constantlychanging/evolvinginfectionvectorsandattackstagesandcapabilitiesEspeciallyrelevantduringtheCoronaviruspandemicUsedinCoronavirus-themedattacks3TLP:WHITEImagesource:BleepingComputer4/16/2020AZORult–AttackVectorsHowisAZORultdeliveredCommon:ExploitKits(especiallyFalloutExploitKit)OthermalwarethatactsasadropperRamnitEmotetPhishingMalspamInfectedwebsitesMalvertisementsFakeinstallersOnoccasion:.
isofileRemoteDesktopProtocol(RDP)exploitation4TLP:WHITEImagesource:AdAstraGames4/16/2020AZORult–FunctionalityoverviewAZORultpossessesthefollowingcapabilities:Steals:SystemlogincredentialsSystemreconnaissanceinfo(GUID,systemarchitectureandlanguage,usernameandcomputername,operatingsystemversion,systemIPaddressCryptocurrencywalletsMonero,uCoin,andbitcoincryptocurrenciesElectrum,Electrum-LTC,Ethereum,Exodus,JaxxandMistwalletsSteamandTelegramcredentials;SkypechathistoryandcredentialsPaymentcardnumbersCookiesandothersensitivebrowser-baseddata(especiallyautofill)DataExfiltration/CommunicationPushestoacommand-and-controlserver.
ScreenshotsExecutesfilesviaremotebackdoorcommands5TLP:WHITEImagesource:LinkedIn4/16/2020MappingAZORultagainsttheMITREATT&CKFrameworkMITREATT&CKTechniquesusedbyAZORult:6TLP:WHITEDomainIDNameUseEnterpriseT1134AccessTokenManipulationAZORultcancallWTSQueryUserTokenandCreateProcessAsUsertostartanewprocesswithlocalsystemprivileges.
EnterpriseT1503CredentialsfromWebBrowsersAZORultcanstealcredentialsfromthevictim'sbrowser.
EnterpriseT1081CredentialsinFilesAZORultcanstealcredentialsinfilesbelongingtocommonsoftwaresuchasSkype,Telegram,andSteam.
EnterpriseT1140Deobfuscate/DecodeFilesorInformationAZORultusesanXORkeytodecryptcontentandusesBase64todecodetheC2address.
EnterpriseT1083FileandDirectoryDiscoveryAZORultcanrecursivelysearchforfilesinfoldersandcollectsfilesfromthedesktopwithcertainextensions.
EnterpriseT1107FileDeletionAZORultcandeletefilesfromvictimmachines.
EnterpriseT1057ProcessDiscoveryAZORultcancollectalistofrunningprocessesbycallingCreateToolhelp32Snapshot.
EnterpriseT1093ProcessHollowingAZORultcandecryptthepayloadintomemory,createanewsuspendedprocessofitself,theninjectadecryptedpayloadtothenewprocessandresumenewprocessexecution.
EnterpriseT1012QueryRegistryAZORultcancheckforinstalledsoftwareonthesystemundertheRegistrykeySoftware\Microsoft\Windows\CurrentVersion\Uninstall.
EnterpriseT1105RemoteFileCopyAZORultcandownloadandexecuteadditionalfiles.
AzorulthasalsodownloadedaransomwarepayloadcalledHermes.
EnterpriseT1113ScreenCaptureAZORultcancapturescreenshotsofthevictim'smachines.
EnterpriseT1032StandardCryptographicProtocolAZORultcanencryptC2trafficusingXOR.
EnterpriseT1082SystemInformationDiscoveryAZORultcancollectthemachineinformation,systemarchitecture,theOSversion,computername,Windowsproductname,thenumberofCPUcores,videocardinformation,andthesystemlanguage.
EnterpriseT1016SystemNetworkConfigurationDiscoveryAZORultcancollecthostIPinformationfromthevictim'smachine.
EnterpriseT1033SystemOwner/UserDiscoveryAZORultcancollecttheusernamefromthevictim'smachine.
EnterpriseT1124SystemTimeDiscoveryAZORultcancollectthetimezoneinformationfromthesystem.
Source:https://attack.
mitre.
org/software/S0344/4/16/2020AZORult–InfectionandcompromiseExampleattack:InfectionvectorExecutionPersistenceReconnaissanceExfiltration7TLP:WHITEImagesource:TrendMicro4/16/2020AZORult–OriginationofattacksGeographicaldistributionofAZORultattacks:December2017throughDecember20188TLP:WHITEDataandimagesource:Kaspersky4/16/2020RecentAZORultusage–FakeCoronavirusmapFakeCoronavirustrackingmapdropsAZORultonvictimsystems:9TLP:WHITE4/16/2020LegitimateJohnsHopkinsCoronavirusMapLegitimatemap:10TLP:WHITE4/16/2020RecentAZORulttechnique–tripleencryptionObservedinaFebruary2020phishingcampaign:11TLP:WHITEDataandimagesource:ThreatPost4/16/2020AZORult-PersistenceAZORultcanestablishpersistence:InstallstandardbackdoorsCreateshiddenadminaccounttosetregistrykeytoestablishRemoteDesktopProtocol(RDP)connectionCamouflagesaslegitimateapplication(registryandscheduledtasks)SeeexampleoffakeGoogleupdatebinarybelowwhichcontainedAZORulttrojan:12TLP:WHITEImagesource:BleepingComputer4/16/2020AZORultIntrusionDetectionRules/SignaturesYaraRules:https://malpedia.
caad.
fkie.
fraunhofer.
de/yara/win.
azorulthttps://github.
com/Yara-Rules/rules/blob/master/malware/MALW_AZORULT.
yarhttps://malware.
lu/articles/2018/05/04/azorult-stealer.
htmlhttps://yoroi.
company/research/gootkit-unveiling-the-hidden-link-with-azorult/https://neonprimetime.
blogspot.
com/2019/02/malware-yara-rules.
htmlhttps://tccontre.
blogspot.
com/2019/01/interesting-azorult-mutex-name-that.
htmlSnortrules:https://www.
snort.
org/rule_docs/1-47339https://www.
snort.
org/rule_docs/1-49548https://snort.
org/rule_docs/1-4760213TLP:WHITE4/16/2020MitigationPractices:AZORultTheHHS405(d)ProgrampublishedtheHealthIndustryCybersecurityPractices(HICP),whichisafreeresourcethatidentifiesthetopfivecyberthreatsandthetenbestpracticestomitigatethem.
BelowarethepracticesfromHICPthatcanbeusedtomitigateAZORult.
14TLP:WHITEBackgroundinformationcanbefoundhere:https://www.
phe.
gov/Preparedness/planning/405d/Documents/HICP-Main-508.
pdfDEFENSE/MITIGATION/COUNTERMEASURE405(d)HICPREFERENCEProvidesocialengineeringandphishingtrainingtoemployees.
[10.
S.
A],[1.
M.
D]Developandmaintainpolicyonsuspiciouse-mailsforendusers;Ensuresuspiciouse-mailsarereported.
[10.
S.
A],[10.
M.
A]Ensureemailsoriginatingfromoutsidetheorganizationareautomaticallymarkedbeforereceived.
[1.
S.
A],[1.
M.
A]Applypatches/updatesimmediatelyafterrelease/testing;Develop/maintainpatchingprogramifnecessary.
[7.
S.
A],[7.
M.
D]ImplementIntrusionDetectionSystem(IDS);Keepsignaturesandrulesupdated.
[6.
S.
C],[6.
M.
C],[6.
L.
C]Implementspamfiltersattheemailgateways;Keepsignaturesandrulesupdated.
[1.
S.
A],[1.
M.
A]BlocksuspiciousIPaddressesatthefirewall;Keepfirewallrulesareupdated.
[6.
S.
A],[6.
M.
A],[6.
L.
E]Implementwhitelistingtechnologytoensurethatonlyauthorizedsoftwareisallowedtoexecute.
[2.
S.
A],[2.
M.
A],[2.
L.
E]Implementaccesscontrolbasedontheprincipalofleastprivilege.
[3.
S.
A],[3.
M.
A],[3.
L.
C]Implementandmaintainanti-malwaresolution.
[2.
S.
A],[2.
M.
A],[2.
L.
D]Conductsystemhardeningtoensureproperconfigurations.
[7.
S.
A],[7.
M.
D]DisabletheuseofSMBv1(andallothervulnerableservicesandprotocols)andrequireatleastSMBv2.
[7.
S.
A],[7.
M.
D]4/16/202015IndicatorsofCompromise:ThereareinstancesofobsoleteIOCsbeingreused,soanyorganizationattemptingtodefendthemselvesshouldconsiderallpossibilities.
NewIOCsareconstantlybeingreleased,especiallywithatoolasprominentandfrequentlyusedasAZORult.
Itisthereforeincumbentuponanyorganizationattemptingtodefendthemselvestoremainvigilant,maintainsituationalawarenessandbeeveronthelookoutfornewIOCstooperationalizeintheircyberdefenseinfrastructure.
AZORult:IndicatorsofCompromiseTLP:WHITEINDICATORTYPEDESCRIPTIONhttp://daticho.
ac[.
]ugDomainCommandandcontrolserverhttp://ravor.
ac[.
]ugDomainCommandandcontrolserverssl[.
admin[.
itybuy[.
itDomainCommandandcontrolserverhairpd[.
]com/stat/stella.
exeDomainMalwarestoragehairpd[.
]com/stat/sputik.
exeDomainMalwarestorageivanzakharov91[.
]example.
comDomainMalwarestorageDriverconnectsearch[.
]infoDomainMalwarestoragehost.
colocrossing[.
]comDomainMalwarestorageDriverconnectsearch[.
]infoDomainMalwarestorage185.
154.
21[.
]208IPaddressMalwarestorage192.
3.
179[.
]203IPaddressMalwarestorage08EB8F2E441C26443EB9ABE5A93CD942MD5Executable5B26880F80A00397BC379CAF5CADC564MD5ExecutableB0EC3E594D20B9D38CC8591BAFF0148BMD5ExecutableFE8938F0BAAF90516A90610F6E210484MD5Executable2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097aMD5Executable6f51bf05c9fa30f3c7b6b581d4bbf0194d1725120b242972ca95c6ecc7eb79bcMD5Executablea75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612MD5Executable12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185MD5Executable97c016bab36a85ca830376ec48c7e70ee25edbb55f626aee6219ade7468cee19MD5Executablef291c822ee0c5655b2900f1c8881e415MD5Executable4/16/2020ReferencesAnalyzinganAZORultAttack–EvasioninaCloakofMultipleLayershttps://blog.
minerva-labs.
com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layersSeamlessCampaignDeliversRamnitviaRIGEKat188.
225.
82.
158.
Follow-upMalwareisAZORultStealer.
https://malwarebreakdown.
com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/TheSeamlessCampaignDropsRamnit.
Follow-upMalware:AZORultStealer,SmokeLoader,etc.
https://malwarebreakdown.
com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/Let'sLearn:ReversingCredentialandPaymentCardInformationStealer'AZORultV2'https://www.
vkremez.
com/2017/07/lets-learn-reversing-credential-and.
htmlThreatActorsUsingLegitimatePayPalAccountsToDistributeChthonicBankingTrojanhttps://www.
proofpoint.
com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojanKasperskyThreats:TROJAN-PSW.
WIN32.
AZORULThttps://threats.
kaspersky.
com/en/threat/Trojan-PSW.
Win32.
Azorult/campaignAZORultTrojanUsesFakeProtonVPNInstallertoDisguiseAttackshttps://securityintelligence.
com/news/azorult-trojan-uses-fake-protonvpn-installer-to-disguise-attacks/AZORULTMalwareInformationhttps://success.
trendmicro.
com/solution/000146108-azorult-malware-information-kAJ4P000000kEK2WAMNewversionofAZORultstealerimprovesloadingfeatures,spreadsalongsideransomwareinnewcampaignhttps://www.
proofpoint.
com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongsideMalpedia:Azorulthttps://malpedia.
caad.
fkie.
fraunhofer.
de/details/win.
azorultcampaignTrendMicro:AZORULTMalwareInformationhttps://success.
trendmicro.
com/solution/000146108-azorult-malware-information-kAJ4P000000kEK2WAM16TLP:WHITE4/16/2020ReferencesMaliciouscoronavirusmaphidesAZORultinfo-stealingmalwarehttps://www.
scmagazine.
com/home/security-news/news-archive/coronavirus/malicious-coronavirus-map-hides-azorult-info-stealing-malware/Battlingonlinecoronavirusscamswithfactshttps://blog.
malwarebytes.
com/social-engineering/2020/02/battling-online-coronavirus-scams-with-facts/AZORultCampaignAdoptsNovelTriple-EncryptionTechniquehttps://threatpost.
com/azorult-campaign-encryption-technique/152508/AZORultTrojanUsesFakeProtonVPNInstallertoDisguiseAttackshttps://securityintelligence.
com/news/azorult-trojan-uses-fake-protonvpn-installer-to-disguise-attacks/AzorultTrojanStealsPasswordsWhileHidingasGoogleUpdatehttps://www.
bleepingcomputer.
com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/CBTAUThreatIntelligenceNotification:CommontoRussianUndergroundForums,AZORultAimstoConnecttoC&CServer,StealSensitiveDatahttps://www.
carbonblack.
com/2019/09/24/cb-tau-threat-intelligence-notification-common-to-russian-underground-forums-azorult-aims-to-connect-to-cc-server-steal-sensitive-data/AZORultMalwareAbusingRDPProtocolToStealtheDatabyEstablishaRemoteDesktopConnectionhttps://gbhackers.
com/azorult-malware-abusing-rdp-protocol/ReverseEngineering,MalwareDeepInsighthttps://vk-intel.
org/2017/07/Azorultloaderstageshttps://maxkersten.
nl/binary-analysis-course/malware-analysis/azorult-loader-stages/MITRE:AZORulthttps://attack.
mitre.
org/software/S0344/AZORULTVERSION2:ATROCIOUSSPYWAREINFECTIONUSING3IN1RTFDOCUMENThttps://cysinfo.
com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-document/AZORult++:Rewritinghistoryhttps://securelist.
com/azorult-analysis-history/89922/TROJAN-PSW.
WIN32.
AZORULThttps://threats.
kaspersky.
com/en/threat/Trojan-PSW.
Win32.
Azorult/17TLP:WHITE4/16/2020QuestionsUpcomingBriefsCOVID-19CyberThreatsThreatModellingforMobileHealthSystemsProductEvaluationsRecipientsofthisandotherHealthcareSectorCybersecurityCoordinationCenter(HC3)ThreatIntelligenceproductsarehighlyencouragedtoprovidefeedbacktoHC3@HHS.
GOV.
RequestsforInformationNeedinformationonaspecificcybersecuritytopicSendyourrequestforinformation(RFI)toHC3@HHS.
GOVorcallusMonday-Friday,between9am-5pm(EST),at(202)691-2110.
18TLP:WHITE4/16/202019HealthSectorCybersecurityCoordinationCenter(HC3)BackgroundHC3workswithprivateandpublicsectorpartnerstoimprovecybersecuritythroughouttheHealthcareandPublicHealth(HPH)SectorSector&VictimNotificationsWhitePapersDirectedcommunicationstovictimsorpotentialvictimsofcompromises,vulnerableequipmentorPII/PHItheftandgeneralnotificationstotheHPHaboutcurrentlyimpactingthreatsviatheHHSOIGDocumentthatprovidesin-depthinformationonacybersecuritytopictoincreasecomprehensivesituationalawarenessandprovideriskrecommendationstoawideaudience.
ThreatBriefings&WebinarBriefingdocumentandpresentationthatprovidesactionableinformationonhealthsectorcybersecuritythreatsandmitigations.
Analystspresentcurrentcybersecuritytopics,engageindiscussionswithparticipantsoncurrentthreats,andhighlightbestpracticesandmitigationtactics.
NeedinformationonaspecificcybersecuritytopicorwanttojoinourlistservSendyourrequestforinformation(RFI)toHC3@HHS.
GOVorcallusMonday-Friday,between9am-5pm(EST),at(202)691-2110.
Products4/21/2020