Azorult
AZORult is an information-stealing Trojan/stealer active in the wild since at least 2016 and sold on underground forums for about $100. It is described as a multifunctional stealer and one of the most widespread Trojan-PSW families, with reporting that it was detected on more than 25% of users who encountered password-stealing malware. The malware is designed to harvest and exfiltrate credentials and other sensitive data from compromised Windows systems. Reported capabilities include stealing credentials from victim browsers; collecting saved passwords, cookies, web form/autofill data, payment card data, and browsing history from more than 30 browsers; stealing credentials and files from applications such as Skype, Telegram, Steam, Outlook, Thunderbird, FileZilla, Pidgin, mail/FTP/instant messaging clients; collecting the username from the victim machine; checking installed software via the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall; stealing cryptocurrency wallet data including wallet.dat and files from more than 30 cryptocurrency programs; taking a broad 'image' of the victim system by collecting host information such as computer name, OS, RAM, installed programs, running processes, desktop files, screenshots, and files matching masks such as documents, images, archives, and text files.
Observed delivery and operational context in the provided content include distribution via malicious email attachments, botnets, malicious websites, and as a second-stage payload downloaded by Chthonic in a PayPal-themed malware campaign. SocGholish/FakeUpdates has also been used to deploy AZORult. The content associates AZORult with multiple threat ecosystems and actors, including TA505, SilverTerrier, and the Nigerian BEC group TMT, which used publicly available stealers such as AZORult to compromise mailboxes and steal credentials. The malware also appeared in infrastructure exposed through BraZZZerS fast-flux/proxy logs, which leaked hidden AZORult admin panel paths. One report states the AZORult project manager abandoned the project at the end of 2018 and left a builder to BraZZZerS administrators.
High-confidence indicators and artifacts directly mentioned in the content include a Chthonic-delivered AZORult payload with SHA-256 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a and C2 URL 91.215.154[.]202/AZORult/gate.php. A Trend Micro detection for Trojan.Win32.AZORUIT.A describes related host artifacts including %ProgramData%\localNETService\localNETService.exe, temporary .dat files, persistence via a Windows service named localNETService, scheduled tasks GoogleUpdateTaskMachineUA and GoogleUpdateTaskMachineCore, modification of %Program Files%\Google\Update\GoogleUpdate.exe, and registry keys under HKLM\SOFTWARE\localNETService and HKLM\SYSTEM\ControlSet001\services\localNETService. Microsoft Defender Antivirus detection Trojan:Win32/Azorult.RMA!MTB is also referenced.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA505 has used malware such as Azorult and Cobalt Strike in their operations.
Unit 42 identified ten strains of info-stealers popular with SilverTerrier: AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain, and Zeus.
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
In early 2017, CrydBrox offered an updated variant of the AZORult malware that included .bit support... The AZORult sample ... first checks if the C2 domain contains the string ".bit" and ... will query ... hard-coded OpenNIC IP addresses to try to resolve the domain.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Persistence
1 technique
Persistence
Stealth
3 techniques
Stealth
To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
Collect data from browsers: Passwords Autofill data Payment cards Cookies
Discovery
7 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Full system information (list of installed programs, running processes, user/computer name, system version)
Forward system data: Operating system version User name IP address
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Collection
4 techniques
Collection
Copy files: All files from a specific directory (such as Desktop) Files with a specific extension (TXT, DOCX) Files for specific apps (cryptocurrency wallets, messenger session files)
Command and Control
6 techniques
Command and Control
This executable is Chthonic, a variant of the Zeus banking Trojan. The command and control (C&C) for this instance is kingstonevikte[.]com.
In the log we can see that: A client 96.57.xx.xxx Sent a web request “GET tuneappservice.org/l3k42hj56h634gkj2lk14356jk4gh23k5jl6h4/gate.php?ped=RTY3M0E4NjhDQ0I5JE1DLTEwNw” We can see here what looks like a malware callback, it’s in fact Riltok.
The service is described as a Fast flux but in reality it’s more a simple proxy system. BraZZZers rents a pool of VPSs all around the internet and uses them as proxy IPs in order to hide the real IP of a server.
Если пользователь устанавливает такое «обновление», на устройство жертвы загружается малварь
IOCs tracked for this family
725 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
115 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware previously distributed via SocGholish.
Named malware family deployed via SocGholish.
Associated Analytic Story Azorult
Credential and information stealer referenced in the analytic story list.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.