AZORult Infostealer

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Christopher Kim

TLP:WHITE

From 3 to 4 November, Infoblox observed fashion and beauty-themed malicious spam (malspam) campaigns that delivered AZORult information stealer (infostealer) via Microsoft Excel spreadsheets (XLS) with malicious macros. These spreadsheets used living off the land (LotL) techniques that abused preexisting software on the victim’s machine in order to perform malicious tasks.

The cybersecurity community first discovered AZORult infostealer in 2016.1 The malware is often bought and sold in Russian dark web forums due to its data-stealing capabilities, which include the following:

  • System information (e.g. system language, operating system version, user name and computer name)
  • Bitcoin wallets
  • Chat software message history
  • Email and banking credentials
  • Account information from file management software (e.g. FTP clients)
  • Browser passwords, cookies and history

AZORult can also serve as a trojan downloader for other malware payloads.2 Some versions of AZORult can even establish Remote Desktop Protocol (RDP) connections that allow the attacker to take complete control of the infected system.3

Earlier this year, malware campaigns used Coronavirus-themed lures to distribute this infostealer.4

The campaigns we observed used fashion and beauty-themed lures with subject lines referencing design patterns. These campaigns also used spoofed email addresses to impersonate legitimate manufacturing businesses based in Portugal and Spain, including health and beauty supplier Mundinter as well as fashion manufacturer Dario Beltran. The email template used for the spoofed Mundinter emails was notably similar to a template used by a recent Agent Tesla campaign.5 This type of similarity often occurs when different threat actors hire the same botnet to distribute malspam for both of their campaigns.

The emails contained brief and generic messages that encouraged recipients to open the malicious attachment (FEBEL_List.xls or Patterns.xls) and reply back for pricing information.

Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–29
  2. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–17
  3. https://success.trendmicro.com/solution/000146108-azorult-malware-information-kAJ4P000000kEK2WAM
  4. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–63
  5. https://www.pcrisk.com/removal-guides/18635-mundinter-email-virus

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×