Threat Report: What is Azorult Malware and How Does it Work?

The Azorult Trojan is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016, and it has been seen used in a spearphishing campaign against targets in North America in July 2018. Azorult affects the Windows operating system and can encrypt C2 traffic using XOR. Azorult can also download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes. 

Azorult Malware Capabilities:

Azorult may take screenshots, collect system information, and transfer files in order to gather data and shape follow-on behavior. Additionally, Azorult may attempt to identify the primary user and search for insecurely stored credentials. Finally, Azorult may enumerate files and directories to discover more information about the system.Azorult may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. 

• Azorult may use various methods to gather information about a target system, including taking screenshots and collecting system information. Azorult may also transfer tools or other files from an external system into a compromised environment.
• Azorult may collect information about users and usernames on a system in order to determine which users are actively using the system and which users may be the primary users. This information may be used to determine whether or not to fully infect a target system and/or to attempt specific actions. Azorult may also search for files containing insecurely stored credentials, which may be used to gain access to systems and services. Finally, Azorult may enumerate files and directories on a system in order to find information that may be used to shape follow-on actions.
• Azorult may attempt to get information about running processes on a system in order to understand what software is commonly used on systems within the network. Additionally, Azorult may delete files that could indicate their presence on a system, and may also look for details about the network configuration and settings.
• Azorult may use process hollowing to inject malicious code into suspended and hollowed processes in order to evade process-based defenses. It may also interact with the Windows Registry to gather information about the system, configuration, and installed software. Finally, it may create a new process with a different token to escalate privileges and bypass access controls.

Ways to Mitigate Azorult Malware Attacks Capabilities

• Azorult malware attacks can be mitigated in several ways, including symmetric encryption, process and command-line monitoring, and collecting scripts for analysis.Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation, but it is still possible to detect potentially malicious behavior related to this process.
• Azorult malware attacks can be mitigated by monitoring for screen capture behavior and unusual processes with external network connections creating files on-system.
• The Azorult malware attack can be mitigated by system and network discovery techniques. Additionally, it may be possible to detect the use of credentials obtained by the adversary. Finally, data and events should be viewed as part of a chain of behavior that could lead to other activities.
• Azorult malware attacks can be mitigated by monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network, and by viewing data and events as part of a chain of behavior that could lead to other activities.
• Azorult malware attacks can be mitigated in several ways. One is to monitor Windows API calls that may indicate the presence of code injection. Another is to keep track of system and network discovery activities, as these may lead to further malicious activity. Finally, analysts can look for use of the "runas" command or similar artifacts in command-line activity, as this may indicate attempts at token manipulation.