{"id":929,"date":"2024-11-07T06:45:51","date_gmt":"2024-11-07T06:45:51","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=929"},"modified":"2025-07-29T07:06:12","modified_gmt":"2025-07-29T07:06:12","slug":"analysis-of-azorult-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-azorult-campaign\/","title":{"rendered":"Analysis Of Azorult Campaign"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"768\" height=\"432\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/Azorult-VS-LMNTRIX-768x432-1.jpg\" alt=\"\" class=\"wp-image-976\"\/><\/figure>\n\n\n\n<p>AZORULT malware was initially detected in 2016, and its primary function is to steal sensitive information from infected systems, including browsing history, login credentials &amp; cryptocurrency data for possible identity theft and cyber criminal activity. Additionally, it is capable of downloading other types of malware onto compromised systems. AZORULT was marketed on Russian underground forums as a tool for collecting sensitive information from infected computers.<\/p>\n\n\n\n<p>Early Azorult versions such as Version 2 and 3, were coded in Delphi 4, but later versions and clones have moved to the VB \/ VB.NET language.<\/p>\n\n\n\n<p><strong>Azorult Delivery Mechanism<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azorult is commonly delivered, through the following methods,<\/li>\n\n\n\n<li>Exploit Kits (esp. the Fallout Exploit Kit)<\/li>\n\n\n\n<li>Affiliate Malware that acts as a dropper such as Ramnit &amp; Emotet<\/li>\n\n\n\n<li>Phishing &amp; Malicious spam emails<\/li>\n\n\n\n<li>Infected websites, Malvertisements &amp; Fake installers<\/li>\n<\/ul>\n\n\n\n<p>In some cases, a variant of this malware has been known to create a new, hidden administrator account on a machine and establish a Remote Desktop Protocol (RDP) connection by setting a registry key.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"788\" height=\"625\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azorult-ctrl-panel.webp\" alt=\"\" class=\"wp-image-949\"\/><\/figure>\n\n\n\n<p><strong>Infection Chain<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"975\" height=\"302\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azorult-infection-chain.webp\" alt=\"\" class=\"wp-image-950\"\/><\/figure>\n\n\n\n<p><strong>Target<\/strong> &#8211; MS Windows Platform<\/p>\n\n\n\n<p><strong>Programming Language <\/strong>&#8211; Delphi \/ VB \/ VB.NET<\/p>\n\n\n\n<p><strong>Static Analysis of AZORULT malware sample<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"266\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/00_sample-info-md5.webp\" alt=\"\" class=\"wp-image-952\"\/><\/figure>\n\n\n\n<p><strong>AZORULT Info Stealer &#8211; Functionality<\/strong><\/p>\n\n\n\n<p>The theft of passwords and potential identity theft can occur with applications like Chrome, Mozilla Firefox, Opera, Yandex Browser, Comodo Dragon, Internet Explorer, Microsoft Edge, Outlook, Thunderbird, Amigo, Pidgin, PSI on the target list.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Theft of banking \/ credit card information from Chrome, Firefox, Edge &amp; similar browsers.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Theft of cookies files, data from autocomplete forms in browsers including Chrome, Mozilla Firefox, Opera, Yandex Browser, Comodo Dragon, and Amigo. <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"619\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image1.webp\" alt=\"\" class=\"wp-image-953\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"592\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image2.webp\" alt=\"\" class=\"wp-image-954\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"544\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image3.webp\" alt=\"\" class=\"wp-image-955\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"871\" height=\"427\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image4.webp\" alt=\"\" class=\"wp-image-956\"\/><\/figure>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"588\" height=\"752\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image5.webp\" alt=\"\" class=\"wp-image-957\"\/><\/figure>\n<\/div>\n\n\n<p>\u2022 Capturing information about the victim&#8217;s system (IP addr\/computer name\/username, process and application lists etc.)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"410\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image6.webp\" alt=\"\" class=\"wp-image-958\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"340\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image7.webp\" alt=\"\" class=\"wp-image-959\"\/><\/figure>\n\n\n\n<p>\u2022 If these weren&#8217;t enough, the threat actor can also continue obtaining files from Skype, local files from telegram (app data), screenshot and files on the victim&#8217;s desktop with AZORULT.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"495\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image8.webp\" alt=\"\" class=\"wp-image-961\"\/><\/figure>\n\n\n\n<p><strong>Strings from the Azorult malware sample<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"609\" height=\"595\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image9.webp\" alt=\"\" class=\"wp-image-962\"\/><\/figure>\n<\/div>\n\n\n<p><strong>Process Melting<\/strong><\/p>\n\n\n\n<p>Azorult&nbsp;command found in over 30 samples analyzed by LMNTRIX CDC:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"187\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image10.webp\" alt=\"\" class=\"wp-image-963\"\/><figcaption class=\"wp-element-caption\">\u201c\/c %WINDIR%\\system32\\timeout.exe 3 &amp; del<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Azorult appears to be \u201cmelting\u201d, deleting the file upon execution of the original sample. The Azorult builder allows the threat actor to specify, if required, the threat actor can \u201cmelt\u201d the sample build, this command could serve as a potential option to add as part of a Yara rule, along with other publicly available IOCs.<\/p>\n\n\n\n<p><strong>Technical Analysis of XLSM Azorult<\/strong><\/p>\n\n\n\n<p><strong>Sample Information<\/strong><\/p>\n\n\n\n<p><strong>Infection Vector<\/strong> &#8211; Malspam campaign and\/or phishing emails.<\/p>\n\n\n\n<p>Threat Name: Azorult | Category: Downloader | Classification: Backdoor.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"217\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image11.webp\" alt=\"\" class=\"wp-image-964\"\/><\/figure>\n\n\n\n<p>An XLSM file is a macro-enabled spreadsheet, a widely used spreadsheet program included in the Microsoft Office package. It contains worksheets of cells arranged by rows and columns, and most importantly, it contains embedded macros programmed in the Visual Basic language for Applications (VBA).<\/p>\n\n\n\n<p>In general, VBA macros can perform a variety of tasks, interact with other applications, automate web interactions, and perform more advanced functions. By using macros, we can save significant amounts of time and improve productivity by automating repetitive tasks, reducing errors, and allowing users to focus on more important tasks. This feature can be abused by malware authors, affording them the ability to embed their malicious code inside the macro functions. <\/p>\n\n\n\n<p>Let\u2019s begin with the sample analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"694\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image12.webp\" alt=\"\" class=\"wp-image-965\"\/><\/figure>\n\n\n\n<p><strong>Recent Azorult template<\/strong><\/p>\n\n\n\n<p>As per usual, this campaign infects its victim with the initial vector of a phishing email, which contains an attachment file of an MS Excel spreadsheet (.XLSM). Once the victim opens the XLSM spreadsheet, where it urges the user to enable the macro content, the VBA macros trigger the powershell command, which will execute in the background. Then it will connect to the malicious IOC to communicate with their malicious C &amp; C servers to download the payload file to start infecting&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"414\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image13.webp\" alt=\"\" class=\"wp-image-966\"\/><\/figure>\n\n\n\n<p><strong>Password Protected &#8211; VBA Code<\/strong><\/p>\n\n\n\n<p>Unfortunately, the VBA code is password protected, and we have to crack the password to open this VBA project. After successful completion, we can view the macro code or simply extract the file by using 7Zip, and we are able to see the vbaproject.bin and other folders. By using this information, we can perform further analysis on the sample.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"452\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image14.webp\" alt=\"\" class=\"wp-image-967\"\/><\/figure>\n\n\n\n<p><strong>Embedded folders<\/strong><\/p>\n\n\n\n<p><strong>File Structure of XLSM Azorult<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"387\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image15.webp\" alt=\"\" class=\"wp-image-968\"\/><\/figure>\n\n\n\n<p><strong>OLE Embedded functions with keyword<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"481\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image16.webp\" alt=\"\" class=\"wp-image-969\"\/><\/figure>\n\n\n\n<p>Using these API calls, the macros will execute.<\/p>\n\n\n\n<p>Especially URLDownloadToFileA: Once the user opens the Excel spreadsheet, this Windows API function downloads a file from the Internet to a local file quickly. Luckily, we can capture that file using a network capture tool.<\/p>\n\n\n\n<p><strong>Macro-Content with Process Tree<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"217\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image17.webp\" alt=\"\" class=\"wp-image-970\"\/><\/figure>\n\n\n\n<p>Here we can easily capture the powershell command after executing the .xlsm file.<\/p>\n\n\n\n<p><strong>Command &amp; Control Server &#8211; HTTP Request <\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"546\" height=\"276\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image18.webp\" alt=\"\" class=\"wp-image-972\" style=\"width:733px;height:auto\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"670\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image19.webp\" alt=\"\" class=\"wp-image-973\"\/><\/figure>\n\n\n\n<p><strong>Indicator of Compromise for AZORULT malware<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"525\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/06\/azolab_art_image20.webp\" alt=\"\" class=\"wp-image-975\"\/><\/figure>\n\n\n\n<p><strong>Behaviors of Azorult Malware<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AZORULT malware was designed to collect system&nbsp;information, such as installed programs, the system&#8217;s native&nbsp;architecture, the language (keyboard such as US\/UK\/DE\/FR\/CN etc)&nbsp;the user&#8217;s&nbsp;name &amp; privilege, local hostname, and the operating system (OS) version of Windows.<\/li>\n\n\n\n<li>Using File Transfer Protocol (FTP) clients or any file manager software, AZORULT can&nbsp;steal&nbsp;user account information.<\/li>\n\n\n\n<li>It has a keylogger integrated within its code base, it&nbsp;enables the malware&nbsp;to record keystrokes and steal sensitive information like usernames, cookies and&nbsp;passwords.<\/li>\n\n\n\n<li>On any given&nbsp;infected system, AZORULT can&nbsp;download and install further malware code. This gives the threat actors&nbsp;an&nbsp;opportunity to launch further attacks and take over more control&nbsp;of the hacked machine.<\/li>\n\n\n\n<li>Spreads&nbsp;to additional systems that use the same network, granting&nbsp;the ability to infect a lot of devices and steal information from a larger variety of targets.<\/li>\n\n\n\n<li>Last but not least, AZORULT can execute a bunch of&nbsp;backdoor commands sent by a remote, malicious threat actor&nbsp;in order to download and\/or destroy files, collect host Internet protocol (IP) information, or both.<\/li>\n<\/ul>\n\n\n\n<p><strong>MITRE ATT&amp;CK Tactics &amp; Techniques for Azorult<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>ID<\/td><td>Tactics<\/td><td>Techniques<\/td><\/tr><tr><td>TA0001<\/td><td>Initial Access<\/td><td>Spearphishing Attachment<\/td><\/tr><tr><td>TA0002<\/td><td>Execution<\/td><td>VBA Scripting Windows management Execution<\/td><\/tr><tr><td>TA0003<\/td><td>Persistence<\/td><td>Registry Run Keys \/ Startup Folder Hooking<\/td><\/tr><tr><td>TA0004<\/td><td>Privilege Escalation<\/td><td>Scheduled Task Hooking Process Injection<\/td><\/tr><tr><td>TA0005 TA0006 TA0007 TA0008 TA0009<\/td><td>Defense Evasion Credential Access Discovery Lateral Movement Collection<\/td><td>NTFS File Attributes Process Injection Modify Registry Virtualization Evasion Technique Hooking Input Capture Credentials in Registry Credentials in Files Credential Dumping System Network Configuration Discovery Process Discovery File and Directory Discovery Query Registry Browser Bookmark Discovery Remote file copy Automated Collections &#8211; Input Capture Data from Local System<\/td><\/tr><tr><td>TA0011<\/td><td>C&amp;C Server<\/td><td>Web Protocols Standard application layer protocol Standard Cryptographic protocol etc.,<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>AZORULT malware was initially detected in 2016, and its primary function is to steal sensitive information from infected systems, including browsing history, login credentials &amp; cryptocurrency data for possible identity theft and cyber criminal activity. Additionally, it is capable of downloading other types of malware onto compromised systems. AZORULT was marketed on Russian underground forums [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":976,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-929","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=929"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/929\/revisions"}],"predecessor-version":[{"id":4365,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/929\/revisions\/4365"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/976"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}