S0344 Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. 21
| Item | Value |
|---|---|
| ID | S0344 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 30 January 2019 |
| Last Modified | 13 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.002 | Create Process with Token | Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Azorult can steal credentials from the victim’s browser.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.21 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Azorult can encrypt C2 traffic using XOR.21 |
| enterprise | T1083 | File and Directory Discovery | Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Azorult can delete files from victim machines.2 |
| enterprise | T1105 | Ingress Tool Transfer | Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.21 |
| enterprise | T1057 | Process Discovery | Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.21 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.2 |
| enterprise | T1012 | Query Registry | Azorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.2 |
| enterprise | T1113 | Screen Capture | Azorult can capture screenshots of the victim’s machines.2 |
| enterprise | T1082 | System Information Discovery | Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.21 |
| enterprise | T1016 | System Network Configuration Discovery | Azorult can collect host IP information from the victim’s machine.2 |
| enterprise | T1033 | System Owner/User Discovery | Azorult can collect the username from the victim’s machine.2 |
| enterprise | T1124 | System Time Discovery | Azorult can collect the time zone information from the system.21 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | 3 |
References
-
Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. ↩↩↩↩↩↩↩
-
Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. ↩