CB TAU Threat Intelligence Notification: Common to Russian Underground Forums, AZORult Aims to Connect to C&C Server, Steal Sensitive Data

AZORult is an info stealing trojan that will steal various sensitive data from the victim’s computer. It is commonly sold in Russian underground forums and is often actively being delivered via spear-phishing campaigns or, as in the recent attack, distributed via a fake website, pretending to be the official site for the BleachBit software application.

![az1.png](upload://xzBNCatL8HVBMpyg75bOD157UQL.png "az1.png")

Figure1: AZORult C&C Panel Menu (Reference from here)

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against AZORult Info Stealer.

Behavioral Summary

Upon execution of AZORult, it will connect to the command and control (C&C) server then collect sensitive information such as browser history, stored login credentials, cookies and other data based from the configuration in C&C server. In addition, depending on the configuration from the C&C server, it may use to download additional malicious payloads to the victim’s computer.

![az2.png|615x191](upload://mr8thUk518mUDrwWzwIrJD527Xq.png "az2.png")

                                                                     Figure 2: AZORult activity’s cycle

 

AZORult will create and use the following list of legitimate DLLs to steal sensitive information:

  • api-ms-win-core-console-l1-1-0.dll
  • api-ms-win-core-datetime-l1-1-0.dll
  • api-ms-win-core-debug-l1-1-0.dll
  • api-ms-win-core-errorhandling-l1-1-0.dll
  • api-ms-win-core-file-l1-1-0.dll
  • api-ms-win-core-file-l1-2-0.dll
  • api-ms-win-core-file-l2-1-0.dll
  • api-ms-win-core-handle-l1-1-0.dll
  • api-ms-win-core-heap-l1-1-0.dll
  • api-ms-win-core-interlocked-l1-1-0.dll
  • api-ms-win-core-libraryloader-l1-1-0.dll
  • api-ms-win-core-localization-l1-2-0.dll
  • api-ms-win-core-memory-l1-1-0.dll
  • api-ms-win-core-namedpipe-l1-1-0.dll
  • api-ms-win-core-processenvironment-l1-1-0.dll
  • api-ms-win-core-processthreads-l1-1-0.dll
  • api-ms-win-core-processthreads-l1-1-1.dll
  • api-ms-win-core-profile-l1-1-0.dll
  • api-ms-win-core-rtlsupport-l1-1-0.dll
  • api-ms-win-core-string-l1-1-0.dll
  • api-ms-win-core-synch-l1-1-0.dll
  • api-ms-win-core-synch-l1-2-0.dll
  • api-ms-win-core-sysinfo-l1-1-0.dll
  • api-ms-win-core-timezone-l1-1-0.dll
  • api-ms-win-core-util-l1-1-0.dll
  • api-ms-win-crt-conio-l1-1-0.dll
  • api-ms-win-crt-convert-l1-1-0.dll
  • api-ms-win-crt-environment-l1-1-0.dll
  • api-ms-win-crt-filesystem-l1-1-0.dll
  • api-ms-win-crt-heap-l1-1-0.dll
  • api-ms-win-crt-locale-l1-1-0.dll
  • api-ms-win-crt-math-l1-1-0.dll
  • api-ms-win-crt-multibyte-l1-1-0.dll
  • api-ms-win-crt-private-l1-1-0.dll
  • api-ms-win-crt-process-l1-1-0.dll
  • api-ms-win-crt-runtime-l1-1-0.dll
  • api-ms-win-crt-stdio-l1-1-0.dll
  • api-ms-win-crt-string-l1-1-0.dll
  • api-ms-win-crt-time-l1-1-0.dll
  • api-ms-win-crt-utility-l1-1-0.dll
  • freebl3.dll
  • mozglue.dll
  • msvcp140.dll
  • nss3.dll
  • nssdbm3.dll
  • softokn3.dll
  • ucrtbase.dll
  • vcruntime140.dll

![az3.png](upload://uvzPVDW9U6BljFUM1QWMSoJ0tzm.png "az3.png")

Figure 3: AZORult making connection to C&C and the creation of legitimate DLLs for stealing data

Other than that, CB Defense will display the malware’s overall triggered TTPs.

![az4.png](upload://2UFhb2p8CX0BQ3yVqQXM5Fe99ru.png "az4.png")![az5.png](upload://ne0J6AuiGfoNwcixVYla8CikrkW.png "az5.png")

If you are a Carbon Black customer looking to learn how to defend against this attack, click here. 

Remediation:

MITRE ATT&CK TIDs

TID Tactic Description
T1005 Collection Data from Local System
T1082 Discovery System Information Discovery
T1083 Discovery File and Directory Discovery
T1113 Collection Screen Capture
T1107 Defense Evasion File Deletion
T1043 Command and Control Commonly Used Ports
T1132 Command and Control Data Encoding
T1002 Exfiltration Data Compressed

Indicators of Compromise (IOCs)

Indicator

Type

Context

e2abc062bf67676adaaaea235c9b8f1619358447ed6c333b40affb7606571e09

a5dbc83ea73adcb51677017f3718f587

SHA256

MD5

AZORult 

97c016bab36a85ca830376ec48c7e70ee25edbb55f626aee6219ade7468cee19

f291c822ee0c5655b2900f1c8881e415

SHA256

MD5

AZORult (zip file)

194[.]67[.]78[.]6 

twooo[.]cn

Domain

Command & Control Server (C&C)

The post CB TAU Threat Intelligence Notification: Common to Russian Underground Forums, AZORult Aims to Connect to C&C Server, Steal Sensitive Data appeared first on Carbon Black.

Article Link: https://www.carbonblack.com/2019/09/24/cb-tau-threat-intelligence-notification-common-to-russian-underground-forums-azorult-aims-to-connect-to-cc-server-steal-sensitive-data/