AZORult

AZORult is a data stealing malware that first appeared in 2016. It steals browser history, login credentials and cryptocurrency wallet information. It has been a Windows threat for a long time. Over time AZORult has evolved and added new features and techniques to make it more effective and evade detection.

Key Insights

Originally developed in Delphi, AZORult was rewritten in C++ in 2019. It can steal a lot of data, system information, stored passwords, and cryptocurrency wallet details. Version 2 added .bit domain support to its C2 infrastructure.

Distribution Methods

AZORult is spread through phishing campaigns, malicious ads, and exploit kits like Fallout Exploit Kit. Attackers use social engineering tactics like fake product order requests or invoice documents to trick victims into running the malware. It has also been seen as a secondary payload delivered by other malware families like Emotet and Ramnit.

Functionality and Impact

Once run, AZORult collects full system data, installed programs, system architecture, and user credentials from various applications and browsers. It targets cryptocurrency wallets to steal Bitcoin and Monero. The stolen data is sent to the attacker's C2 servers. Besides data theft, AZORult can also establish backdoor access so attackers can execute commands, download more malware, and compromise system integrity.

Known Variants

AZORult has had several variants over the years, each with new features or improvements to make it more stealthy and data exfiltration capabilities. Some versions created hidden administrator accounts on infected machines to allow unauthorized RDP connections. This shows the malware is evolving and its developers are continuously refining its operations.

Mitigation Strategies

Update and patch your OS and applications.
Use antivirus and anti-malware software to detect and block.
Be wary of unknown emails and don’t click on links or download attachments.
Use email filtering and spam detection.

Targeted Industries or Sectors

AZORult is versatile and can target any industry. Individual users are often affected but organizations from finance, healthcare and technology sectors have also been targeted. Since it can steal financial data and credentials, it’s more threatening to organizations where that data is critical.

Associated Threat Actors

AZORult is associated with various cybercriminal groups in Russian speaking underground forums. Its ease of use and availability has made it a favorite among threat actors to steal data or deploy more malware. However, we don’t have specific threat actor names associated with AZORult campaigns in public sources. This lack of attribution makes it hard to trace and identify the individuals or groups behind its spread.