AZORult Malware

What Is AZORult Malware?

AZORult malware (AKA PuffStealer and Ruzalto) is an information and cryptocurrency stealer first detected in 2016. Although AZORult is not as sophisticated as other stealer or trojan malware strains, it has first- and second-stage capabilities for gaining initial access and performing post-exploit activities such as ransomware attacks via remote access. First written in the Delphi programming language, it was ported to C++ in 2019 and is considered easy to use, allowing novice threat actors to configure and deploy attacks.

Some of AZORult's features target consumer users such as gamers and cryptocurrency owners by stealing credentials for popular gaming applications and scanning compromised systems for cryptocurrency wallet credentials. AZORult uses campaigns that lure victims in with trojanized commercial software; malvertising indicates AZORult is designed to target individuals rather than organizations. Azorult campaigns in 2020 leveraged COVID-19 pandemic updates to target and infect victims. 

AZORult is primarily sold on Russian underground hacker forums, most AZORult attacks are linked to Russian IP addresses, and data stolen with AZORult is typically sold on Russian Dark Web marketplaces.

With both first- and second-stage capabilities, AZORult can gain initial access or execute remote commands on a victim’s computer. Although AZORult has been observed using methods such as remote desktop protocol (RDP) authentication brute forcing, its most common initial access tactics are:

  • Phishing and malspam campaigns that direct users to malicious websites or to open Microsoft Office attachments with malicious VBA macros 
  • Offering pirated applications or media containing trojanized installers for download
  • Taking over hacked websites and serving visitors malicious content or redirecting users to other attacker-controlled sites
  • Malvertisements on legitimate websites that direct users to malicious websites or entice users to download and install trojanized applications
  • Fake installers for popular software applications offered through torrent sites or Dark Web forums

After AZORult has gained initial access and executed its primary payload, it hunts and steals sensitive user data. Next, it connects to a command and control (C2) server and uploads the stolen data via a standard HTTP POST request. The stolen data is encrypted and compressed using a slightly modified PKzip algorithm to prevent the stolen data from being easily analyzed by Data Loss Prevention tools as it exits the network. 

AZORult is capable of targeting and stealing system data and credentials, including:

  • Financial data, including payment card numbers
  • Cryptocurrency authentication credentials, including private wallet keys
  • Internet browser autofill password caches and cookie caches that may contain active session tokens
  • Internet browsing history cache 
  • Authentication credentials from applications such as Steam, Telegram, Microsoft Outlook, and Skype
  • System configuration information and sensitive system files such as RDP and VPN credentials
  • Screenshots of an infected system’s desktop

Recent versions of AZORult use process injection (AKA process hollowing) and living-off-the-land (LOTL) techniques to avoid detection by security tools. This means the malware hijacks legitimate processes and uses existing pre-installed tools on Windows systems to achieve its objectives.

Different versions of AZORult use various tactics to maintain persistence. Still, one novel and stealthy method used by Azorult is to replace the Chrome browser’s update component GoogleUpdate.exe with its own malicious executable. This ensures that the attacker’s code is run when Google Chrome checks for updates. Although this tactic does not reliably execute the malware immediately after a system reboot, it effectively hides the malware’s persistence method.

Signs of an AZORult Attack

Azorult may be contained in a malicious Microsoft Office document, so a document that requests permission to run a VBA macro could indicate an active attack. AZORult may also use Autoit scripts to automate Windows GUI interaction and execute its main payloads.

Like other malware strains, a typical AZORult infection reaches out to hardcoded C2 domains or IP addresses to exfiltrate stolen data. Monitoring network traffic for blocked destinations may also identify an infection. Otherwise, AZORult’s LOTL approach ensures that most of its activity is stealthily masked as regular Windows system processes, primarily smpchost.exe.

How to Prevent an AZORult Attack

  • Enforce multi-factor authentication for all critical services—especially those associated with online banking and cryptocurrency accounts
  • Ensure that only authorized, digitally signed software is installed on all endpoints; regularly scan for and block any unauthorized software from executing
  • Use a content proxy to monitor internet use and restrict user access to suspicious or risky sites
  • Consider user awareness training and stay up to date about phishing techniques; develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Ensure Office applications are configured to disable all macros without notification or disable all except digitally signed macros settings
  • Pay special attention to warning notifications in email clients and Office applications that alert you to suspicious contexts, such as files that have not been scanned for malware or contain VBA macros
Threat actors use AZORult to steal system information, browsing history, cookies, IDs/passwords saved in browsers, cryptocurrency information and more.  CylanceOPTICS® uses artificial intelligence-based agents trained for threat detection on millions of both safe and unsafe files. This allows it to spot a threat based on countless file attributes instead of a specific file signature to block AZORult.