The Azorult malware, which first appeared in 2016, has resurfaced on the dark web with a renewed and sophisticated approach. This powerful information-stealing threat specializes in extracting sensitive data such as browsing history, login credentials, and cryptocurrency details. Cyble Research & Intelligence Labs (CRIL) recently discovered several PDF files leading to the final payload for Azorult, shedding light on the campaign’s techniques, features, infection chain, and evasive techniques.
Azorult, originating from Russian underground forums, functions as both an information stealer and a downloader for additional threats. This malware is designed to clandestinely harvest a diverse range of sensitive information from compromised systems. The campaign involves a zip file containing a malicious shortcut file masquerading as a PDF document, which triggers a chain of events leading to the deployment of the Azorult payload.
The infection chain orchestrated by the Azorult campaign follows a meticulous multistage process to avoid detection. The campaign’s complexity lies in its ability to adapt dynamically, making analysis and detection challenging. The loader executable, known as “helper.exe,” undergoes checks to ensure it operates in a legitimate environment and extracts a unique machine identifier before communicating with command-and-control servers.
The ultimate payload, a 32-bit Azorult .Net executable, exhibits a range of malicious activities, including generating cryptographic keys, performing system checks, and targeting crypto wallets, browsers, and various applications. Azorult goes beyond data theft by capturing screenshots of the system, creating a comprehensive profile of the compromised system.
The resurgence of the Azorult malware in this complex campaign highlights the ongoing threat it poses to cybersecurity. With its ability to adapt, employ obfuscation techniques, and execute entirely within the system’s memory, Azorult remains a formidable adversary.